Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
01koiHnedL.exe

Overview

General Information

Sample name:01koiHnedL.exe
renamed because original name is a hash value
Original sample name:1f41f02970cfdce69e628299a96d754d.exe
Analysis ID:1511706
MD5:1f41f02970cfdce69e628299a96d754d
SHA1:fb04fa7cbe25caccd197dac9af74496e3b513866
SHA256:6d48ccbf40f5f43149cb69f1659d683fc7eaf5cee527f724a1761e548c1a5fe2
Tags:exenjratRAT
Infos:

Detection

Njrat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Njrat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Disables zone checking for all users
Machine Learning detection for sample
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 01koiHnedL.exe (PID: 3420 cmdline: "C:\Users\user\Desktop\01koiHnedL.exe" MD5: 1F41F02970CFDCE69E628299A96D754D)
    • netsh.exe (PID: 6756 cmdline: netsh firewall add allowedprogram "C:\Users\user\Desktop\01koiHnedL.exe" "01koiHnedL.exe" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
NjRATRedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Campaign ID": "clien", "Version": "0.7d", "Install Name": "f7e6d24b4a113d9753558dfbb032c2ac", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
01koiHnedL.exeJoeSecurity_NjratYara detected NjratJoe Security
    01koiHnedL.exeWindows_Trojan_Njrat_30f3c220unknownunknown
    • 0x115d2:$a1: get_Registry
    • 0x15a4f:$a2: SEE_MASK_NOZONECHECKS
    • 0x156f1:$a3: Download ERROR
    • 0x15ca1:$a4: cmd.exe /c ping 0 -n 2 & del "
    • 0x13c2e:$a5: netsh firewall delete allowedprogram "
    01koiHnedL.exeCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
    • 0x15ca1:$x1: cmd.exe /c ping 0 -n 2 & del "
    • 0x137ba:$s1: winmgmts:\\.\root\SecurityCenter2
    • 0x1570f:$s3: Executed As
    • 0x124f0:$s5: Stub.exe
    • 0x156f1:$s6: Download ERROR
    • 0x1377c:$s8: Select * From AntiVirusProduct
    01koiHnedL.exeNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
    • 0x15a4f:$reg: SEE_MASK_NOZONECHECKS
    • 0x156d5:$msg: Execute ERROR
    • 0x15729:$msg: Execute ERROR
    • 0x15ca1:$ping: cmd.exe /c ping 0 -n 2 & del
    01koiHnedL.exeMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
    • 0x13c2e:$s1: netsh firewall delete allowedprogram
    • 0x13c80:$s2: netsh firewall add allowedprogram
    • 0x15ca1:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
    • 0x156d5:$s4: Execute ERROR
    • 0x15729:$s4: Execute ERROR
    • 0x156f1:$s5: Download ERROR

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NjratYara detected NjratJoe Security
      00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Njrat_30f3c220unknownunknown
      • 0x113d2:$a1: get_Registry
      • 0x1584f:$a2: SEE_MASK_NOZONECHECKS
      • 0x154f1:$a3: Download ERROR
      • 0x15aa1:$a4: cmd.exe /c ping 0 -n 2 & del "
      • 0x13a2e:$a5: netsh firewall delete allowedprogram "
      00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmpNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
      • 0x1584f:$reg: SEE_MASK_NOZONECHECKS
      • 0x154d5:$msg: Execute ERROR
      • 0x15529:$msg: Execute ERROR
      • 0x15aa1:$ping: cmd.exe /c ping 0 -n 2 & del
      00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NjratYara detected NjratJoe Security
        Process Memory Space: 01koiHnedL.exe PID: 3420JoeSecurity_NjratYara detected NjratJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.01koiHnedL.exe.350000.0.unpackJoeSecurity_NjratYara detected NjratJoe Security
            0.0.01koiHnedL.exe.350000.0.unpackWindows_Trojan_Njrat_30f3c220unknownunknown
            • 0x115d2:$a1: get_Registry
            • 0x15a4f:$a2: SEE_MASK_NOZONECHECKS
            • 0x156f1:$a3: Download ERROR
            • 0x15ca1:$a4: cmd.exe /c ping 0 -n 2 & del "
            • 0x13c2e:$a5: netsh firewall delete allowedprogram "
            0.0.01koiHnedL.exe.350000.0.unpackCN_disclosed_20180208_cDetects malware from disclosed CN malware setFlorian Roth
            • 0x15ca1:$x1: cmd.exe /c ping 0 -n 2 & del "
            • 0x137ba:$s1: winmgmts:\\.\root\SecurityCenter2
            • 0x1570f:$s3: Executed As
            • 0x124f0:$s5: Stub.exe
            • 0x156f1:$s6: Download ERROR
            • 0x1377c:$s8: Select * From AntiVirusProduct
            0.0.01koiHnedL.exe.350000.0.unpackNjratdetect njRAT in memoryJPCERT/CC Incident Response Group
            • 0x15a4f:$reg: SEE_MASK_NOZONECHECKS
            • 0x156d5:$msg: Execute ERROR
            • 0x15729:$msg: Execute ERROR
            • 0x15ca1:$ping: cmd.exe /c ping 0 -n 2 & del
            0.0.01koiHnedL.exe.350000.0.unpackMALWARE_Win_NjRATDetects NjRAT / BladabindiditekSHen
            • 0x13c2e:$s1: netsh firewall delete allowedprogram
            • 0x13c80:$s2: netsh firewall add allowedprogram
            • 0x15ca1:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67
            • 0x156d5:$s4: Execute ERROR
            • 0x15729:$s4: Execute ERROR
            • 0x156f1:$s5: Download ERROR

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-16T08:32:03.708470+020020211761Malware Command and Control Activity Detected192.168.2.649711147.185.221.1861276TCP
            2024-09-16T08:32:50.098627+020020211761Malware Command and Control Activity Detected192.168.2.649718147.185.221.1861276TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-16T08:32:03.708470+020020331321Malware Command and Control Activity Detected192.168.2.649711147.185.221.1861276TCP
            2024-09-16T08:32:50.098627+020020331321Malware Command and Control Activity Detected192.168.2.649718147.185.221.1861276TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-16T08:32:09.137258+020028255641Malware Command and Control Activity Detected192.168.2.649711147.185.221.1861276TCP
            2024-09-16T08:32:55.280177+020028255641Malware Command and Control Activity Detected192.168.2.649718147.185.221.1861276TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 01koiHnedL.exeAvira: detected
            Found malware configuration
            Source: 0.0.01koiHnedL.exe.350000.0.unpackMalware Configuration Extractor: Njrat {"Campaign ID": "clien", "Version": "0.7d", "Install Name": "f7e6d24b4a113d9753558dfbb032c2ac", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
            Multi AV Scanner detection for submitted file
            Source: 01koiHnedL.exeReversingLabs: Detection: 86%
            Source: 01koiHnedL.exeVirustotal: Detection: 75%Perma Link
            Yara detected Njrat
            Source: Yara matchFile source: 01koiHnedL.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 01koiHnedL.exe PID: 3420, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 01koiHnedL.exeJoe Sandbox ML: detected
            Source: 01koiHnedL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\01koiHnedL.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: 01koiHnedL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Spreading

            barindex
            Contains functionality to spread to USB devices (.Net source)
            Source: 01koiHnedL.exe, Usb1.cs.Net Code: infect
            Source: 01koiHnedL.exe, 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: \autorun.inf
            Source: 01koiHnedL.exe, 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
            Source: 01koiHnedL.exe, 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: autorun.inf
            Source: 01koiHnedL.exeBinary or memory string: \autorun.inf
            Source: 01koiHnedL.exeBinary or memory string: [autorun]
            Source: 01koiHnedL.exeBinary or memory string: autorun.inf

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.6:49718 -> 147.185.221.18:61276
            Source: Network trafficSuricata IDS: 2033132 - Severity 1 - ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll) : 192.168.2.6:49711 -> 147.185.221.18:61276
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.6:49711 -> 147.185.221.18:61276
            Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.6:49711 -> 147.185.221.18:61276
            Source: Network trafficSuricata IDS: 2021176 - Severity 1 - ET MALWARE Bladabindi/njRAT CnC Command (ll) : 192.168.2.6:49718 -> 147.185.221.18:61276
            Source: Network trafficSuricata IDS: 2825564 - Severity 1 - ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act) : 192.168.2.6:49718 -> 147.185.221.18:61276
            Source: global trafficTCP traffic: 192.168.2.6:49711 -> 147.185.221.18:61276
            Source: Joe Sandbox ViewIP Address: 147.185.221.18 147.185.221.18
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
            Source: C:\Users\user\Desktop\01koiHnedL.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            E-Banking Fraud

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: 01koiHnedL.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 01koiHnedL.exe PID: 3420, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 01koiHnedL.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 01koiHnedL.exe, type: SAMPLEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 01koiHnedL.exe, type: SAMPLEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 01koiHnedL.exe, type: SAMPLEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Detects malware from disclosed CN malware set Author: Florian Roth
            Source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Detects NjRAT / Bladabindi Author: ditekSHen
            Source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
            Source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_0092BC36 NtQuerySystemInformation,0_2_0092BC36
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_0092BC05 NtQuerySystemInformation,0_2_0092BC05
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D78CE80_2_00D78CE8
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D742980_2_00D74298
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D747D40_2_00D747D4
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D78CD90_2_00D78CD9
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D744F10_2_00D744F1
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D749F90_2_00D749F9
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D750E30_2_00D750E3
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D74F9D0_2_00D74F9D
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D7499D0_2_00D7499D
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D74C8F0_2_00D74C8F
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D7505D0_2_00D7505D
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D74B5B0_2_00D74B5B
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D754590_2_00D75459
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D745440_2_00D74544
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D7536F0_2_00D7536F
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D742690_2_00D74269
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D750000_2_00D75000
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D7470F0_2_00D7470F
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D749360_2_00D74936
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D746300_2_00D74630
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_00D74F2F0_2_00D74F2F
            Source: 01koiHnedL.exe, 00000000.00000002.4570462609.000000000096E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 01koiHnedL.exe
            Source: 01koiHnedL.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 01koiHnedL.exe, type: SAMPLEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 01koiHnedL.exe, type: SAMPLEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 01koiHnedL.exe, type: SAMPLEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 01koiHnedL.exe, type: SAMPLEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
            Source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
            Source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
            Source: classification engineClassification label: mal100.spre.phis.troj.evad.winEXE@4/2@0/1
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_0092BABA AdjustTokenPrivileges,0_2_0092BABA
            Source: C:\Users\user\Desktop\01koiHnedL.exeCode function: 0_2_0092BA83 AdjustTokenPrivileges,0_2_0092BA83
            Source: C:\Users\user\Desktop\01koiHnedL.exeFile created: C:\Users\user\AppData\Roaming\appJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMutant created: NULL
            Source: C:\Users\user\Desktop\01koiHnedL.exeMutant created: \Sessions\1\BaseNamedObjects\f7e6d24b4a113d9753558dfbb032c2ac
            Source: C:\Users\user\Desktop\01koiHnedL.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
            Source: C:\Users\user\Desktop\01koiHnedL.exeFile created: C:\Users\user\AppData\Local\Temp\FransescoPast.txtJump to behavior
            Source: 01koiHnedL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 01koiHnedL.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\01koiHnedL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 01koiHnedL.exeReversingLabs: Detection: 86%
            Source: 01koiHnedL.exeVirustotal: Detection: 75%
            Source: unknownProcess created: C:\Users\user\Desktop\01koiHnedL.exe "C:\Users\user\Desktop\01koiHnedL.exe"
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\01koiHnedL.exe" "01koiHnedL.exe" ENABLE
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\01koiHnedL.exe" "01koiHnedL.exe" ENABLEJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: 01koiHnedL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\01koiHnedL.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
            Source: 01koiHnedL.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: 01koiHnedL.exe, Fransesco.cs.Net Code: Plugin System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: BC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 2AD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: D90000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 5920000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 6920000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 6E90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 7E90000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 82E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 92E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: A2E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: B2E0000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: B770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: A2E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: C770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: D770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: E770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: F770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 10770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 11770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 12770000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 13770000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 14080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 15080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 16080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 17080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 18080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 19080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 1A080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 1B080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 1C080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 1D080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 1E080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 1F080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 20080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 21080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 22080000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 23080000 memory commit | memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 24290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 25290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 26290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 27290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 28290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 29290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 2A290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 2B290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 2C290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 2D290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 2E290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 2F290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 30290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 31290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 32290000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: B2E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: C2E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: D2E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: E2E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: F2E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 102E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: C3E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: D3E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: E3E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: F3E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 103E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 113E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 123E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: E160000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: F160000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 10160000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: F260000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 11260000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: 12260000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeWindow / User API: threadDelayed 3293Jump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeWindow / User API: threadDelayed 978Jump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeWindow / User API: foregroundWindowGot 470Jump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeWindow / User API: foregroundWindowGot 473Jump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exe TID: 5316Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exe TID: 5316Thread sleep count: 273 > 30Jump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exe TID: 6524Thread sleep count: 3293 > 30Jump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exe TID: 6524Thread sleep time: -1646500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exe TID: 6104Thread sleep count: 40 > 30Jump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exe TID: 6524Thread sleep count: 978 > 30Jump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exe TID: 6524Thread sleep time: -489000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\01koiHnedL.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 01koiHnedL.exe, 00000000.00000002.4570462609.00000000009E5000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000003.2144662641.0000000002CF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeMemory allocated: page read and write | page guardJump to behavior
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:34:35 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 13:05:55 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:24 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:38:03 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 13:32:36 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:31 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:34:28 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:11 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:09 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:33:28 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 03:25:36 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:39:34 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:57 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:35:26 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:31:58 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 03:05:44 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 18:36:43 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 09:32:13 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 03:51:45 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:20 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:10 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:33:58 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 03:21:37 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:46 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:33:21 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:33:51 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:35:34 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:55 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 06:37:55 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:25 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 17:48:42 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:14 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 19:40:23 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:35:57 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:34 - Program Manager
            Source: 01koiHnedL.exeBinary or memory string: ProgMan
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:27 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:21 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 08:02:45 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:33:06 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:06 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:19 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:35:49 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 03:05:07 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 22:54:08 - Program Manager
            Source: 01koiHnedL.exeBinary or memory string: Shell_traywnd+MostrarBarraDeTarefas
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:31:57 - Program Manager
            Source: 01koiHnedL.exeBinary or memory string: Shell_TrayWnd
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 07:24:06 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 03:15:36 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:34:10 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:13 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:34:20 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 18:50:24 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:29 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 08:57:50 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:33:44 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:48 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 03:27:32 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 03:02:36 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 20:02:25 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:35:11 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:55:40 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:08 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:36:23 - Program Manager
            Source: 01koiHnedL.exe, 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 24/09/16 | 02:32:32 - Program Manager
            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\01koiHnedL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Contains functionality to disable the Task Manager (.Net Source)
            Source: 01koiHnedL.exe, Fransesco.cs.Net Code: INS
            Disables zone checking for all users
            Source: C:\Users\user\Desktop\01koiHnedL.exeRegistry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKSJump to behavior
            Modifies the windows firewall
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\01koiHnedL.exe" "01koiHnedL.exe" ENABLE
            Uses netsh to modify the Windows network and firewall settings
            Source: C:\Users\user\Desktop\01koiHnedL.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\Desktop\01koiHnedL.exe" "01koiHnedL.exe" ENABLE

            Stealing of Sensitive Information

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: 01koiHnedL.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 01koiHnedL.exe PID: 3420, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Njrat
            Source: Yara matchFile source: 01koiHnedL.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.01koiHnedL.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 01koiHnedL.exe PID: 3420, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure11
            Replication Through Removable Media            		Windows Management Instrumentation1
            DLL Side-Loading            		1
            Access Token Manipulation            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
            Process Injection            		41
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Access Token Manipulation            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Process Injection            		LSA Secrets1
            Peripheral Device Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            01koiHnedL.exe87%ReversingLabsByteCode-MSIL.Backdoor.njRAT
            01koiHnedL.exe75%VirustotalBrowse
            01koiHnedL.exe100%AviraTR/Dropper.Gen
            01koiHnedL.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            147.185.221.18
            		unknownUnited States
            		12087SALSGIVERUStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1511706
            Start date and time:2024-09-16 08:31:05 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 33s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:10
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:01koiHnedL.exe
            renamed because original name is a hash value
            Original Sample Name:1f41f02970cfdce69e628299a96d754d.exe
            Detection:MAL
            Classification:mal100.spre.phis.troj.evad.winEXE@4/2@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 142
            • Number of non-executed functions: 1
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240s for sample files taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, cdn.onenote.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtQueryValueKey calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            02:32:32API Interceptor147899x Sleep call for process: 01koiHnedL.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            147.185.221.18i231IEP3oh.exeGet hashmaliciousAsyncRATBrowse
              killer.exeGet hashmaliciousXWormBrowse
                system47.exeGet hashmaliciousXWormBrowse
                  javaupdate.jarGet hashmaliciousDynamic StealerBrowse
                    javaupdate.jarGet hashmaliciousDynamic StealerBrowse
                      LisectAVT_2403002C_149.exeGet hashmaliciousAsyncRATBrowse
                        LisectAVT_2403002C_28.exeGet hashmaliciousRemcosBrowse
                          sqjxHtZQi8.jpg.ps1Get hashmaliciousArrowRATBrowse
                            listafamilia_caipira.docGet hashmaliciousArrowRATBrowse
                              1.exeGet hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                SALSGIVERUSnPIv2AODg2.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.19
                                WLO9Pkkle0.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.22
                                uUY8turU3x.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • 147.185.221.22
                                wB5Gc9RKzG.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.22
                                Uhj9qfwbYG.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                • 147.185.221.21
                                PjkFCWhi.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.22
                                BootstrapperV3.0.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.22
                                TRXLoader.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.22
                                Bootstrapper.exeGet hashmaliciousXWormBrowse
                                • 147.185.221.22
                                Fixer.exeGet hashmaliciousUnknownBrowse
                                • 147.185.221.22

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Roaming\app

                                Download File
                                Process:C:\Users\user\Desktop\01koiHnedL.exe
                                File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                Category:dropped
                                Size (bytes):5
                                Entropy (8bit):2.321928094887362
                                Encrypted:false
                                SSDEEP:3:1n:1
                                MD5:02B81B0CBE1FAAA1FA62D5FC876AB443
                                SHA1:D473CFE21FB1F188689415B0BDD239688F8FDDD9
                                SHA-256:E7E9E2C247BC872BACCE77661C78F001A17D70EE3130A9016A5818DA9DA00CDB
                                SHA-512:592AB5B200D4C560951CB70288DC1B7A562F0CBFAEE01CE03076B6934D537B88575C2E1E0FEDCC05DB95E6C224CA739923E7D74F9165E683F3FBAD7BBF641784
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:.16

                                \Device\ConDrv

                                Download File
                                Process:C:\Windows\SysWOW64\netsh.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):313
                                Entropy (8bit):4.971939296804078
                                Encrypted:false
                                SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                                MD5:689E2126A85BF55121488295EE068FA1
                                SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                                SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                                SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):5.565068645805422
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:01koiHnedL.exe
                                File size:95'232 bytes
                                MD5:1f41f02970cfdce69e628299a96d754d
                                SHA1:fb04fa7cbe25caccd197dac9af74496e3b513866
                                SHA256:6d48ccbf40f5f43149cb69f1659d683fc7eaf5cee527f724a1761e548c1a5fe2
                                SHA512:aeec12de9fdffa33fa7123809c2e67b1a6fa786d7c8db210d622b76ddeb40ae631a1cc370644836618670e976dde42367818ce53097b1760493e63c73fa6ba29
                                SSDEEP:1536:QxNJD/HBZbszKu9AZp77r1jEwzGi1dDrD7gS:QxUzK4AZtHCi1dr0
                                TLSH:E893E94977E52524E0BF56F75471F2004E34B48B1612E39D58F219AA0B33AC48F8AFEB
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................p............... ........@.. ....................................@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x418f1e
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x66D896E0 [Wed Sep 4 17:20:32 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x18ed00x4b.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x16f240x170001789bfe8f7287f81e478a81a39b266aeFalse0.36824898097826086data5.596737171251843IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .reloc0x1a0000xc0x2009dc49a004fa3bd643fadc899ad4fdf5dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-09-16T08:32:03.708470+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.649711147.185.221.1861276TCP
                                2024-09-16T08:32:03.708470+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.649711147.185.221.1861276TCP
                                2024-09-16T08:32:09.137258+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.649711147.185.221.1861276TCP
                                2024-09-16T08:32:50.098627+02002033132ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)1192.168.2.649718147.185.221.1861276TCP
                                2024-09-16T08:32:50.098627+02002021176ET MALWARE Bladabindi/njRAT CnC Command (ll)1192.168.2.649718147.185.221.1861276TCP
                                2024-09-16T08:32:55.280177+02002825564ETPRO MALWARE Generic njRAT/Bladabindi CnC Activity (act)1192.168.2.649718147.185.221.1861276TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Sep 16, 2024 08:32:02.092541933 CEST4971161276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:02.097557068 CEST6127649711147.185.221.18192.168.2.6
                                Sep 16, 2024 08:32:02.097639084 CEST4971161276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:03.708470106 CEST4971161276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:03.724071980 CEST6127649711147.185.221.18192.168.2.6
                                Sep 16, 2024 08:32:03.724145889 CEST4971161276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:03.729034901 CEST6127649711147.185.221.18192.168.2.6
                                Sep 16, 2024 08:32:09.137258053 CEST4971161276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:09.142111063 CEST6127649711147.185.221.18192.168.2.6
                                Sep 16, 2024 08:32:48.055018902 CEST6127649711147.185.221.18192.168.2.6
                                Sep 16, 2024 08:32:48.055119991 CEST4971161276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:50.062112093 CEST4971161276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:50.062730074 CEST4971861276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:50.067166090 CEST6127649711147.185.221.18192.168.2.6
                                Sep 16, 2024 08:32:50.067553043 CEST6127649718147.185.221.18192.168.2.6
                                Sep 16, 2024 08:32:50.067640066 CEST4971861276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:50.098627090 CEST4971861276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:50.103585958 CEST6127649718147.185.221.18192.168.2.6
                                Sep 16, 2024 08:32:50.103789091 CEST4971861276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:50.108700037 CEST6127649718147.185.221.18192.168.2.6
                                Sep 16, 2024 08:32:55.280177116 CEST4971861276192.168.2.6147.185.221.18
                                Sep 16, 2024 08:32:55.285093069 CEST6127649718147.185.221.18192.168.2.6

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:02:31:55
                                Start date:16/09/2024
                                Path:C:\Users\user\Desktop\01koiHnedL.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\01koiHnedL.exe"
                                Imagebase:0x350000
                                File size:95'232 bytes
                                MD5 hash:1F41F02970CFDCE69E628299A96D754D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                • Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000000.2117088678.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4571318480.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:2
                                Start time:02:31:57
                                Start date:16/09/2024
                                Path:C:\Windows\SysWOW64\netsh.exe
                                Wow64 process (32bit):true
                                Commandline:netsh firewall add allowedprogram "C:\Users\user\Desktop\01koiHnedL.exe" "01koiHnedL.exe" ENABLE
                                Imagebase:0xa60000
                                File size:82'432 bytes
                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:02:31:57
                                Start date:16/09/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff66e660000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:21.2%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:7.7%
                                  Total number of Nodes:91
                                  Total number of Limit Nodes:5
                                  execution_graph 21384 92b212 21385 92b24a RegOpenKeyExW 21384->21385 21387 92b2a0 21385->21387 21388 92aa12 21389 92aa3e SetErrorMode 21388->21389 21391 92aa67 21388->21391 21390 92aa53 21389->21390 21391->21389 21469 e129a6 21470 e129db GetProcessWorkingSetSize 21469->21470 21472 e12a07 21470->21472 21473 e11c26 21475 e11c61 LoadLibraryA 21473->21475 21476 e11c9e 21475->21476 21392 92a59a 21393 92a610 21392->21393 21394 92a5d8 DuplicateHandle 21392->21394 21393->21394 21395 92a5e6 21394->21395 21396 92b31a 21397 92b34f RegQueryValueExW 21396->21397 21399 92b3a3 21397->21399 21400 e10bea 21401 e10c22 WSASocketW 21400->21401 21403 e10c5e 21401->21403 21404 e1146a 21405 e1149f shutdown 21404->21405 21407 e114c8 21405->21407 21481 92a65e 21482 92a6c0 21481->21482 21483 92a68a CloseHandle 21481->21483 21482->21483 21484 92a698 21483->21484 21485 e11732 21487 e11767 GetProcessTimes 21485->21487 21488 e11799 21487->21488 21408 92a186 21409 92a1f3 21408->21409 21410 92a1bb send 21408->21410 21409->21410 21411 92a1c9 21410->21411 21412 e127f6 21413 e1281f select 21412->21413 21415 e12854 21413->21415 21420 e1197a 21421 e119af WSAConnect 21420->21421 21423 e119ce 21421->21423 21424 92b40e 21426 92b443 RegSetValueExW 21424->21426 21427 92b48f 21426->21427 21428 92bc36 21429 92bc96 21428->21429 21430 92bc6b NtQuerySystemInformation 21428->21430 21429->21430 21431 92bc80 21430->21431 21489 92b4f6 21492 92b531 SendMessageTimeoutA 21489->21492 21491 92b579 21492->21491 21432 e111c6 21434 e111fe MapViewOfFile 21432->21434 21435 e1124d 21434->21435 21436 92baba 21439 92bae9 AdjustTokenPrivileges 21436->21439 21438 92bb0b 21439->21438 21440 92b93a 21441 92b963 LookupPrivilegeValueW 21440->21441 21443 92b98a 21441->21443 21444 e128ca 21445 e128ff GetExitCodeProcess 21444->21445 21447 e12928 21445->21447 21448 e1254a 21449 e12582 RegCreateKeyExW 21448->21449 21451 e125f4 21449->21451 21493 e12a8a 21495 e12abf SetProcessWorkingSetSize 21493->21495 21496 e12aeb 21495->21496 21459 92aaa6 21461 92aade CreateFileW 21459->21461 21462 92ab2d 21461->21462 21497 e11016 21499 e1104e ConvertStringSecurityDescriptorToSecurityDescriptorW 21497->21499 21500 e1108f 21499->21500 21501 92ac6a 21503 92ac9f GetFileType 21501->21503 21504 92accc 21503->21504 21505 92b06a 21507 92b0a2 CreateMutexW 21505->21507 21508 92b0e5 21507->21508 21509 e1271a 21511 e1274f ioctlsocket 21509->21511 21512 e1277b 21511->21512 21463 92aeae 21465 92aee3 WriteFile 21463->21465 21466 92af15 21465->21466 21467 92a72e OleGetClipboard 21468 92a780 21467->21468

                                  Executed Functions

                                  Function 00D74298 Relevance: 13.2, Strings: 9, Instructions: 1950COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 d74298-d742c9 3 d74352-d7435a 0->3 4 d742cf-d74350 0->4 5 d74366-d7437a 3->5 4->3 31 d7435c 4->31 6 d74380-d743bc 5->6 7 d7452f-d7467d 5->7 19 d743be-d743e6 6->19 20 d743ed-d744ef 6->20 45 d74683-d747d2 7->45 46 d7480d-d74821 7->46 19->20 20->7 31->5 45->46 47 d74827-d74934 46->47 48 d7496f-d74983 46->48 47->48 49 d749d6-d749ea 48->49 50 d74985-d7498b call d74210 48->50 55 d74a32-d74a46 49->55 56 d749ec-d749f7 49->56 58 d74990-d7499b 50->58 60 d74b94-d74ba8 55->60 61 d74a4c-d74b59 55->61 56->55 58->49 63 d74cd4-d74ce8 60->63 64 d74bae-d74bc2 60->64 61->60 68 d74f74-d74f88 63->68 69 d74cee-d74f2d 63->69 72 d74bc4-d74bcb 64->72 73 d74bd0-d74be4 64->73 74 d74fe2-d74ff6 68->74 75 d74f8a-d74f9b 68->75 69->68 79 d74c48-d74c5c 72->79 76 d74be6-d74bed 73->76 77 d74bef-d74c03 73->77 85 d75045-d75059 74->85 86 d74ff8-d74ffe 74->86 75->74 76->79 83 d74c05-d74c0c 77->83 84 d74c0e-d74c22 77->84 88 d74c76-d74c82 79->88 89 d74c5e-d74c74 79->89 83->79 91 d74c24-d74c2b 84->91 92 d74c2d-d74c41 84->92 93 d750a2-d750b6 85->93 94 d7505b 85->94 86->85 95 d74c8d 88->95 89->95 91->79 92->79 100 d74c43-d74c45 92->100 97 d7512d-d75141 93->97 98 d750b8-d750e1 93->98 94->93 95->63 107 d75147-d75363 97->107 108 d753b4-d753c8 97->108 98->97 100->79 488 d75367 107->488 489 d75365 107->489 112 d7549e-d754b2 108->112 113 d753ce-d75457 108->113 117 d7566f-d75683 112->117 118 d754b8-d75628 112->118 113->112 124 d757e6-d757fa 117->124 125 d75689-d7579f 117->125 118->117 131 d75800-d75916 124->131 132 d7595d-d75971 124->132 125->124 131->132 135 d75977-d75a8d 132->135 136 d75ad4-d75ae8 132->136 135->136 143 d75aee-d75c04 136->143 144 d75c4b-d75c5f 136->144 143->144 154 d75c65-d75d7b 144->154 155 d75dc2-d75dd6 144->155 154->155 162 d75ddc-d75ef2 155->162 163 d75f39-d75f4d 155->163 162->163 168 d75f53-d76069 163->168 169 d760b0-d760c4 163->169 168->169 178 d76227-d7623b 169->178 179 d760ca-d761e0 169->179 187 d76241-d76357 178->187 188 d7639e-d763b2 178->188 179->178 187->188 195 d76536-d7654a 188->195 196 d763b8-d763fd call d74278 188->196 209 d76550-d7656f 195->209 210 d7668d-d766a1 195->210 327 d764bd-d764df 196->327 245 d76614-d76636 209->245 213 d766a7-d767a7 210->213 214 d767ee-d76802 210->214 213->214 230 d7694f-d76963 214->230 231 d76808-d76908 214->231 239 d76ab0-d76ada 230->239 240 d76969-d76a69 230->240 231->230 259 d76ae0-d76b53 239->259 260 d76b9a-d76bae 239->260 240->239 246 d76574-d76583 245->246 247 d7663c 245->247 264 d7663e 246->264 265 d76589-d765bc 246->265 247->210 259->260 275 d76bb4-d76c0b 260->275 276 d76c8b-d76c9f 260->276 283 d76643-d7668b 264->283 355 d76603-d7660c 265->355 356 d765be-d765f8 265->356 407 d76c12-d76c44 275->407 281 d76de5-d76df9 276->281 282 d76ca5-d76d9e 276->282 303 d76dff-d76e4f 281->303 304 d7705c-d77070 281->304 282->281 283->210 415 d76e51-d76e77 303->415 416 d76ebd-d76ee8 303->416 318 d77076-d77111 call d74278 * 2 304->318 319 d77158-d7715f 304->319 318->319 344 d764e5 327->344 345 d76402-d76411 327->345 344->195 352 d764e7 345->352 353 d76417-d764b5 345->353 373 d764ec-d76534 352->373 353->373 490 d764b7 353->490 355->283 363 d7660e 355->363 356->355 363->245 373->195 407->276 491 d76e79-d76e99 415->491 492 d76eb8 415->492 494 d76fc6-d77057 416->494 495 d76eee-d76fc1 416->495 500 d7536d 488->500 556 d75367 call d771c1 488->556 489->500 490->327 491->492 492->304 494->304 495->304 500->108 556->500
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l$:@2l$:@2l$:@2l$:@2l$@$\OYl$2Yl
                                  • API String ID: 0-2587338529
                                  • Opcode ID: d847b1592cf33cf6826237c21e1cf9418ab6fd163a8bb385b0c4d2a44bd875fc
                                  • Instruction ID: 46c5e51942a54e500824984cecbf7d5d387be065e243fab2adba3bf6269bbf42
                                  • Opcode Fuzzy Hash: d847b1592cf33cf6826237c21e1cf9418ab6fd163a8bb385b0c4d2a44bd875fc
                                  • Instruction Fuzzy Hash: 5C235A74A02228CFDB64EF74D954BA9B7B2FB48304F1081EAD40AA7794DB359E85CF50
                                  Function 00D74269 Relevance: 13.0, Strings: 9, Instructions: 1763COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 557 d74269-d74288 558 d742b1-d742c9 557->558 559 d7428a-d742af 557->559 563 d74352-d7435a 558->563 564 d742cf-d74350 558->564 559->558 565 d74366-d7437a 563->565 564->563 591 d7435c 564->591 566 d74380-d743bc 565->566 567 d7452f-d7467d 565->567 579 d743be-d743e6 566->579 580 d743ed-d744ef 566->580 605 d74683-d747d2 567->605 606 d7480d-d74821 567->606 579->580 580->567 591->565 605->606 607 d74827-d74934 606->607 608 d7496f-d74983 606->608 607->608 609 d749d6-d749ea 608->609 610 d74985-d7498b call d74210 608->610 615 d74a32-d74a46 609->615 616 d749ec-d749f7 609->616 618 d74990-d7499b 610->618 620 d74b94-d74ba8 615->620 621 d74a4c-d74b59 615->621 616->615 618->609 623 d74cd4-d74ce8 620->623 624 d74bae-d74bc2 620->624 621->620 628 d74f74-d74f88 623->628 629 d74cee-d74f2d 623->629 632 d74bc4-d74bcb 624->632 633 d74bd0-d74be4 624->633 634 d74fe2-d74ff6 628->634 635 d74f8a-d74f9b 628->635 629->628 639 d74c48-d74c5c 632->639 636 d74be6-d74bed 633->636 637 d74bef-d74c03 633->637 645 d75045-d75059 634->645 646 d74ff8-d74ffe 634->646 635->634 636->639 643 d74c05-d74c0c 637->643 644 d74c0e-d74c22 637->644 648 d74c76-d74c82 639->648 649 d74c5e-d74c74 639->649 643->639 651 d74c24-d74c2b 644->651 652 d74c2d-d74c41 644->652 653 d750a2-d750b6 645->653 654 d7505b 645->654 646->645 655 d74c8d 648->655 649->655 651->639 652->639 660 d74c43-d74c45 652->660 657 d7512d-d75141 653->657 658 d750b8-d750e1 653->658 654->653 655->623 667 d75147-d75363 657->667 668 d753b4-d753c8 657->668 658->657 660->639 1048 d75367 667->1048 1049 d75365 667->1049 672 d7549e-d754b2 668->672 673 d753ce-d75457 668->673 677 d7566f-d75683 672->677 678 d754b8-d75628 672->678 673->672 684 d757e6-d757fa 677->684 685 d75689-d7579f 677->685 678->677 691 d75800-d75916 684->691 692 d7595d-d75971 684->692 685->684 691->692 695 d75977-d75a8d 692->695 696 d75ad4-d75ae8 692->696 695->696 703 d75aee-d75c04 696->703 704 d75c4b-d75c5f 696->704 703->704 714 d75c65-d75d7b 704->714 715 d75dc2-d75dd6 704->715 714->715 722 d75ddc-d75ef2 715->722 723 d75f39-d75f4d 715->723 722->723 728 d75f53-d76069 723->728 729 d760b0-d760c4 723->729 728->729 738 d76227-d7623b 729->738 739 d760ca-d761e0 729->739 747 d76241-d76357 738->747 748 d7639e-d763b2 738->748 739->738 747->748 755 d76536-d7654a 748->755 756 d763b8-d763fd call d74278 748->756 769 d76550-d7656f 755->769 770 d7668d-d766a1 755->770 887 d764bd-d764df 756->887 805 d76614-d76636 769->805 773 d766a7-d767a7 770->773 774 d767ee-d76802 770->774 773->774 790 d7694f-d76963 774->790 791 d76808-d76908 774->791 799 d76ab0-d76ada 790->799 800 d76969-d76a69 790->800 791->790 819 d76ae0-d76b53 799->819 820 d76b9a-d76bae 799->820 800->799 806 d76574-d76583 805->806 807 d7663c 805->807 824 d7663e 806->824 825 d76589-d765bc 806->825 807->770 819->820 835 d76bb4-d76c0b 820->835 836 d76c8b-d76c9f 820->836 843 d76643-d7668b 824->843 915 d76603-d7660c 825->915 916 d765be-d765f8 825->916 967 d76c12-d76c44 835->967 841 d76de5-d76df9 836->841 842 d76ca5-d76d9e 836->842 863 d76dff-d76e4f 841->863 864 d7705c-d77070 841->864 842->841 843->770 975 d76e51-d76e77 863->975 976 d76ebd-d76ee8 863->976 878 d77076-d77111 call d74278 * 2 864->878 879 d77158-d7715f 864->879 878->879 904 d764e5 887->904 905 d76402-d76411 887->905 904->755 912 d764e7 905->912 913 d76417-d764b5 905->913 933 d764ec-d76534 912->933 913->933 1050 d764b7 913->1050 915->843 923 d7660e 915->923 916->915 923->805 933->755 967->836 1051 d76e79-d76e99 975->1051 1052 d76eb8 975->1052 1054 d76fc6-d77057 976->1054 1055 d76eee-d76fc1 976->1055 1060 d7536d 1048->1060 1116 d75367 call d771c1 1048->1116 1049->1060 1050->887 1051->1052 1052->864 1054->864 1055->864 1060->668 1116->1060
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $:@2l$:@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-2458924787
                                  • Opcode ID: 95bb37ee5f637459823e416ddb046915378aebfef03787e86dadfbe9685d9d7a
                                  • Instruction ID: 1f388042a5405f4b393b43cb2180ac76a711dc7c20d406370bd00ac93e79c58e
                                  • Opcode Fuzzy Hash: 95bb37ee5f637459823e416ddb046915378aebfef03787e86dadfbe9685d9d7a
                                  • Instruction Fuzzy Hash: 0B134B74A02228CFDB25EF34D954BA9B7B2FB48304F1081EAD90A67794DB359E85CF50
                                  Function 00D744F1 Relevance: 12.9, Strings: 9, Instructions: 1624COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1117 d744f1-d7467d 1138 d74683-d747d2 1117->1138 1139 d7480d-d74821 1117->1139 1138->1139 1140 d74827-d74934 1139->1140 1141 d7496f-d74983 1139->1141 1140->1141 1142 d749d6-d749ea 1141->1142 1143 d74985-d7498b call d74210 1141->1143 1147 d74a32-d74a46 1142->1147 1148 d749ec-d749f7 1142->1148 1150 d74990-d7499b 1143->1150 1151 d74b94-d74ba8 1147->1151 1152 d74a4c-d74b59 1147->1152 1148->1147 1150->1142 1154 d74cd4-d74ce8 1151->1154 1155 d74bae-d74bc2 1151->1155 1152->1151 1159 d74f74-d74f88 1154->1159 1160 d74cee-d74f2d 1154->1160 1162 d74bc4-d74bcb 1155->1162 1163 d74bd0-d74be4 1155->1163 1164 d74fe2-d74ff6 1159->1164 1165 d74f8a-d74f9b 1159->1165 1160->1159 1169 d74c48-d74c5c 1162->1169 1166 d74be6-d74bed 1163->1166 1167 d74bef-d74c03 1163->1167 1175 d75045-d75059 1164->1175 1176 d74ff8-d74ffe 1164->1176 1165->1164 1166->1169 1173 d74c05-d74c0c 1167->1173 1174 d74c0e-d74c22 1167->1174 1177 d74c76-d74c82 1169->1177 1178 d74c5e-d74c74 1169->1178 1173->1169 1180 d74c24-d74c2b 1174->1180 1181 d74c2d-d74c41 1174->1181 1182 d750a2-d750b6 1175->1182 1183 d7505b 1175->1183 1176->1175 1184 d74c8d 1177->1184 1178->1184 1180->1169 1181->1169 1188 d74c43-d74c45 1181->1188 1186 d7512d-d75141 1182->1186 1187 d750b8-d750e1 1182->1187 1183->1182 1184->1154 1195 d75147-d75363 1186->1195 1196 d753b4-d753c8 1186->1196 1187->1186 1188->1169 1573 d75367 1195->1573 1574 d75365 1195->1574 1199 d7549e-d754b2 1196->1199 1200 d753ce-d75457 1196->1200 1204 d7566f-d75683 1199->1204 1205 d754b8-d75628 1199->1205 1200->1199 1210 d757e6-d757fa 1204->1210 1211 d75689-d7579f 1204->1211 1205->1204 1217 d75800-d75916 1210->1217 1218 d7595d-d75971 1210->1218 1211->1210 1217->1218 1221 d75977-d75a8d 1218->1221 1222 d75ad4-d75ae8 1218->1222 1221->1222 1228 d75aee-d75c04 1222->1228 1229 d75c4b-d75c5f 1222->1229 1228->1229 1239 d75c65-d75d7b 1229->1239 1240 d75dc2-d75dd6 1229->1240 1239->1240 1247 d75ddc-d75ef2 1240->1247 1248 d75f39-d75f4d 1240->1248 1247->1248 1253 d75f53-d76069 1248->1253 1254 d760b0-d760c4 1248->1254 1253->1254 1263 d76227-d7623b 1254->1263 1264 d760ca-d761e0 1254->1264 1272 d76241-d76357 1263->1272 1273 d7639e-d763b2 1263->1273 1264->1263 1272->1273 1280 d76536-d7654a 1273->1280 1281 d763b8-d763fd call d74278 1273->1281 1294 d76550-d7656f 1280->1294 1295 d7668d-d766a1 1280->1295 1412 d764bd-d764df 1281->1412 1330 d76614-d76636 1294->1330 1298 d766a7-d767a7 1295->1298 1299 d767ee-d76802 1295->1299 1298->1299 1315 d7694f-d76963 1299->1315 1316 d76808-d76908 1299->1316 1324 d76ab0-d76ada 1315->1324 1325 d76969-d76a69 1315->1325 1316->1315 1344 d76ae0-d76b53 1324->1344 1345 d76b9a-d76bae 1324->1345 1325->1324 1331 d76574-d76583 1330->1331 1332 d7663c 1330->1332 1349 d7663e 1331->1349 1350 d76589-d765bc 1331->1350 1332->1295 1344->1345 1360 d76bb4-d76c0b 1345->1360 1361 d76c8b-d76c9f 1345->1361 1368 d76643-d7668b 1349->1368 1440 d76603-d7660c 1350->1440 1441 d765be-d765f8 1350->1441 1492 d76c12-d76c44 1360->1492 1366 d76de5-d76df9 1361->1366 1367 d76ca5-d76d9e 1361->1367 1388 d76dff-d76e4f 1366->1388 1389 d7705c-d77070 1366->1389 1367->1366 1368->1295 1500 d76e51-d76e77 1388->1500 1501 d76ebd-d76ee8 1388->1501 1403 d77076-d77111 call d74278 * 2 1389->1403 1404 d77158-d7715f 1389->1404 1403->1404 1429 d764e5 1412->1429 1430 d76402-d76411 1412->1430 1429->1280 1437 d764e7 1430->1437 1438 d76417-d764b5 1430->1438 1458 d764ec-d76534 1437->1458 1438->1458 1575 d764b7 1438->1575 1440->1368 1448 d7660e 1440->1448 1441->1440 1448->1330 1458->1280 1492->1361 1576 d76e79-d76e99 1500->1576 1577 d76eb8 1500->1577 1579 d76fc6-d77057 1501->1579 1580 d76eee-d76fc1 1501->1580 1585 d7536d 1573->1585 1641 d75367 call d771c1 1573->1641 1574->1585 1575->1412 1576->1577 1577->1389 1579->1389 1580->1389 1585->1196 1641->1585
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $:@2l$:@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-2458924787
                                  • Opcode ID: b48f1e6b5877b083944596e7bc57288c513d7b8c9e5010b724f6d96788147c80
                                  • Instruction ID: 54d58d3fe16d42f0063d5ae7f9e47a330b988c7f7d7c049f27c362375feaf711
                                  • Opcode Fuzzy Hash: b48f1e6b5877b083944596e7bc57288c513d7b8c9e5010b724f6d96788147c80
                                  • Instruction Fuzzy Hash: B2034974A02228CFDB25EF34D954BA9B7B2FB48304F1081EAD90A67794DB359E85CF50
                                  Function 00D74544 Relevance: 12.9, Strings: 9, Instructions: 1618COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1642 d74544-d7467d 1660 d74683-d747d2 1642->1660 1661 d7480d-d74821 1642->1661 1660->1661 1662 d74827-d74934 1661->1662 1663 d7496f-d74983 1661->1663 1662->1663 1664 d749d6-d749ea 1663->1664 1665 d74985-d7498b call d74210 1663->1665 1669 d74a32-d74a46 1664->1669 1670 d749ec-d749f7 1664->1670 1672 d74990-d7499b 1665->1672 1673 d74b94-d74ba8 1669->1673 1674 d74a4c-d74b59 1669->1674 1670->1669 1672->1664 1676 d74cd4-d74ce8 1673->1676 1677 d74bae-d74bc2 1673->1677 1674->1673 1681 d74f74-d74f88 1676->1681 1682 d74cee-d74f2d 1676->1682 1684 d74bc4-d74bcb 1677->1684 1685 d74bd0-d74be4 1677->1685 1686 d74fe2-d74ff6 1681->1686 1687 d74f8a-d74f9b 1681->1687 1682->1681 1691 d74c48-d74c5c 1684->1691 1688 d74be6-d74bed 1685->1688 1689 d74bef-d74c03 1685->1689 1697 d75045-d75059 1686->1697 1698 d74ff8-d74ffe 1686->1698 1687->1686 1688->1691 1695 d74c05-d74c0c 1689->1695 1696 d74c0e-d74c22 1689->1696 1699 d74c76-d74c82 1691->1699 1700 d74c5e-d74c74 1691->1700 1695->1691 1702 d74c24-d74c2b 1696->1702 1703 d74c2d-d74c41 1696->1703 1704 d750a2-d750b6 1697->1704 1705 d7505b 1697->1705 1698->1697 1706 d74c8d 1699->1706 1700->1706 1702->1691 1703->1691 1710 d74c43-d74c45 1703->1710 1708 d7512d-d75141 1704->1708 1709 d750b8-d750e1 1704->1709 1705->1704 1706->1676 1717 d75147-d75363 1708->1717 1718 d753b4-d753c8 1708->1718 1709->1708 1710->1691 2095 d75367 1717->2095 2096 d75365 1717->2096 1721 d7549e-d754b2 1718->1721 1722 d753ce-d75457 1718->1722 1726 d7566f-d75683 1721->1726 1727 d754b8-d75628 1721->1727 1722->1721 1732 d757e6-d757fa 1726->1732 1733 d75689-d7579f 1726->1733 1727->1726 1739 d75800-d75916 1732->1739 1740 d7595d-d75971 1732->1740 1733->1732 1739->1740 1743 d75977-d75a8d 1740->1743 1744 d75ad4-d75ae8 1740->1744 1743->1744 1750 d75aee-d75c04 1744->1750 1751 d75c4b-d75c5f 1744->1751 1750->1751 1761 d75c65-d75d7b 1751->1761 1762 d75dc2-d75dd6 1751->1762 1761->1762 1769 d75ddc-d75ef2 1762->1769 1770 d75f39-d75f4d 1762->1770 1769->1770 1775 d75f53-d76069 1770->1775 1776 d760b0-d760c4 1770->1776 1775->1776 1785 d76227-d7623b 1776->1785 1786 d760ca-d761e0 1776->1786 1794 d76241-d76357 1785->1794 1795 d7639e-d763b2 1785->1795 1786->1785 1794->1795 1802 d76536-d7654a 1795->1802 1803 d763b8-d763fd call d74278 1795->1803 1816 d76550-d7656f 1802->1816 1817 d7668d-d766a1 1802->1817 1934 d764bd-d764df 1803->1934 1852 d76614-d76636 1816->1852 1820 d766a7-d767a7 1817->1820 1821 d767ee-d76802 1817->1821 1820->1821 1837 d7694f-d76963 1821->1837 1838 d76808-d76908 1821->1838 1846 d76ab0-d76ada 1837->1846 1847 d76969-d76a69 1837->1847 1838->1837 1866 d76ae0-d76b53 1846->1866 1867 d76b9a-d76bae 1846->1867 1847->1846 1853 d76574-d76583 1852->1853 1854 d7663c 1852->1854 1871 d7663e 1853->1871 1872 d76589-d765bc 1853->1872 1854->1817 1866->1867 1882 d76bb4-d76c0b 1867->1882 1883 d76c8b-d76c9f 1867->1883 1890 d76643-d7668b 1871->1890 1962 d76603-d7660c 1872->1962 1963 d765be-d765f8 1872->1963 2014 d76c12-d76c44 1882->2014 1888 d76de5-d76df9 1883->1888 1889 d76ca5-d76d9e 1883->1889 1910 d76dff-d76e4f 1888->1910 1911 d7705c-d77070 1888->1911 1889->1888 1890->1817 2022 d76e51-d76e77 1910->2022 2023 d76ebd-d76ee8 1910->2023 1925 d77076-d77111 call d74278 * 2 1911->1925 1926 d77158-d7715f 1911->1926 1925->1926 1951 d764e5 1934->1951 1952 d76402-d76411 1934->1952 1951->1802 1959 d764e7 1952->1959 1960 d76417-d764b5 1952->1960 1980 d764ec-d76534 1959->1980 1960->1980 2097 d764b7 1960->2097 1962->1890 1970 d7660e 1962->1970 1963->1962 1970->1852 1980->1802 2014->1883 2098 d76e79-d76e99 2022->2098 2099 d76eb8 2022->2099 2101 d76fc6-d77057 2023->2101 2102 d76eee-d76fc1 2023->2102 2107 d7536d 2095->2107 2163 d75367 call d771c1 2095->2163 2096->2107 2097->1934 2098->2099 2099->1911 2101->1911 2102->1911 2107->1718 2163->2107
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $:@2l$:@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-2458924787
                                  • Opcode ID: 51cc89a3769b2d54c80e9edb22cd5ac876a7a1885d8abbadad940d80b6cbdffe
                                  • Instruction ID: 19ce4efca1faa3630bccdca1be957030f84241345613b23abd86f55df0da3b47
                                  • Opcode Fuzzy Hash: 51cc89a3769b2d54c80e9edb22cd5ac876a7a1885d8abbadad940d80b6cbdffe
                                  • Instruction Fuzzy Hash: E3034974A02228CFDB25EF34D954BA9B7B2FB48304F1081EAD90A67794DB359E85CF50
                                  Function 00D74630 Relevance: 11.6, Strings: 8, Instructions: 1579COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2164 d74630-d7467d 2171 d74683-d747d2 2164->2171 2172 d7480d-d74821 2164->2172 2171->2172 2173 d74827-d74934 2172->2173 2174 d7496f-d74983 2172->2174 2173->2174 2175 d749d6-d749ea 2174->2175 2176 d74985-d7498b call d74210 2174->2176 2180 d74a32-d74a46 2175->2180 2181 d749ec-d749f7 2175->2181 2183 d74990-d7499b 2176->2183 2184 d74b94-d74ba8 2180->2184 2185 d74a4c-d74b59 2180->2185 2181->2180 2183->2175 2187 d74cd4-d74ce8 2184->2187 2188 d74bae-d74bc2 2184->2188 2185->2184 2192 d74f74-d74f88 2187->2192 2193 d74cee-d74f2d 2187->2193 2195 d74bc4-d74bcb 2188->2195 2196 d74bd0-d74be4 2188->2196 2197 d74fe2-d74ff6 2192->2197 2198 d74f8a-d74f9b 2192->2198 2193->2192 2202 d74c48-d74c5c 2195->2202 2199 d74be6-d74bed 2196->2199 2200 d74bef-d74c03 2196->2200 2208 d75045-d75059 2197->2208 2209 d74ff8-d74ffe 2197->2209 2198->2197 2199->2202 2206 d74c05-d74c0c 2200->2206 2207 d74c0e-d74c22 2200->2207 2210 d74c76-d74c82 2202->2210 2211 d74c5e-d74c74 2202->2211 2206->2202 2213 d74c24-d74c2b 2207->2213 2214 d74c2d-d74c41 2207->2214 2215 d750a2-d750b6 2208->2215 2216 d7505b 2208->2216 2209->2208 2217 d74c8d 2210->2217 2211->2217 2213->2202 2214->2202 2221 d74c43-d74c45 2214->2221 2219 d7512d-d75141 2215->2219 2220 d750b8-d750e1 2215->2220 2216->2215 2217->2187 2228 d75147-d75363 2219->2228 2229 d753b4-d753c8 2219->2229 2220->2219 2221->2202 2606 d75367 2228->2606 2607 d75365 2228->2607 2232 d7549e-d754b2 2229->2232 2233 d753ce-d75457 2229->2233 2237 d7566f-d75683 2232->2237 2238 d754b8-d75628 2232->2238 2233->2232 2243 d757e6-d757fa 2237->2243 2244 d75689-d7579f 2237->2244 2238->2237 2250 d75800-d75916 2243->2250 2251 d7595d-d75971 2243->2251 2244->2243 2250->2251 2254 d75977-d75a8d 2251->2254 2255 d75ad4-d75ae8 2251->2255 2254->2255 2261 d75aee-d75c04 2255->2261 2262 d75c4b-d75c5f 2255->2262 2261->2262 2272 d75c65-d75d7b 2262->2272 2273 d75dc2-d75dd6 2262->2273 2272->2273 2280 d75ddc-d75ef2 2273->2280 2281 d75f39-d75f4d 2273->2281 2280->2281 2286 d75f53-d76069 2281->2286 2287 d760b0-d760c4 2281->2287 2286->2287 2296 d76227-d7623b 2287->2296 2297 d760ca-d761e0 2287->2297 2305 d76241-d76357 2296->2305 2306 d7639e-d763b2 2296->2306 2297->2296 2305->2306 2313 d76536-d7654a 2306->2313 2314 d763b8-d763fd call d74278 2306->2314 2327 d76550-d7656f 2313->2327 2328 d7668d-d766a1 2313->2328 2445 d764bd-d764df 2314->2445 2363 d76614-d76636 2327->2363 2331 d766a7-d767a7 2328->2331 2332 d767ee-d76802 2328->2332 2331->2332 2348 d7694f-d76963 2332->2348 2349 d76808-d76908 2332->2349 2357 d76ab0-d76ada 2348->2357 2358 d76969-d76a69 2348->2358 2349->2348 2377 d76ae0-d76b53 2357->2377 2378 d76b9a-d76bae 2357->2378 2358->2357 2364 d76574-d76583 2363->2364 2365 d7663c 2363->2365 2382 d7663e 2364->2382 2383 d76589-d765bc 2364->2383 2365->2328 2377->2378 2393 d76bb4-d76c0b 2378->2393 2394 d76c8b-d76c9f 2378->2394 2401 d76643-d7668b 2382->2401 2473 d76603-d7660c 2383->2473 2474 d765be-d765f8 2383->2474 2525 d76c12-d76c44 2393->2525 2399 d76de5-d76df9 2394->2399 2400 d76ca5-d76d9e 2394->2400 2421 d76dff-d76e4f 2399->2421 2422 d7705c-d77070 2399->2422 2400->2399 2401->2328 2533 d76e51-d76e77 2421->2533 2534 d76ebd-d76ee8 2421->2534 2436 d77076-d77111 call d74278 * 2 2422->2436 2437 d77158-d7715f 2422->2437 2436->2437 2462 d764e5 2445->2462 2463 d76402-d76411 2445->2463 2462->2313 2470 d764e7 2463->2470 2471 d76417-d764b5 2463->2471 2491 d764ec-d76534 2470->2491 2471->2491 2608 d764b7 2471->2608 2473->2401 2481 d7660e 2473->2481 2474->2473 2481->2363 2491->2313 2525->2394 2609 d76e79-d76e99 2533->2609 2610 d76eb8 2533->2610 2612 d76fc6-d77057 2534->2612 2613 d76eee-d76fc1 2534->2613 2618 d7536d 2606->2618 2674 d75367 call d771c1 2606->2674 2607->2618 2608->2445 2609->2610 2610->2422 2612->2422 2613->2422 2618->2229 2674->2618
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $:@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-2159143268
                                  • Opcode ID: 26004bb35f59722cbd7ddc05a1630a9c59f670f43c1bc1130b6c9a0f8c32b5e0
                                  • Instruction ID: ada628c0ea573191104332d6008f71686926fba606d1a65ca8f914f1667b1577
                                  • Opcode Fuzzy Hash: 26004bb35f59722cbd7ddc05a1630a9c59f670f43c1bc1130b6c9a0f8c32b5e0
                                  • Instruction Fuzzy Hash: 99033974A02228CFDB25EF34D954BA9B7B2FB48304F1081EAD90A67794DB359E85CF50
                                  Function 00D7470F Relevance: 11.5, Strings: 8, Instructions: 1544COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2675 d7470f-d74821 2689 d74827-d74934 2675->2689 2690 d7496f-d74983 2675->2690 2689->2690 2691 d749d6-d749ea 2690->2691 2692 d74985-d7498b call d74210 2690->2692 2695 d74a32-d74a46 2691->2695 2696 d749ec-d749f7 2691->2696 2697 d74990-d7499b 2692->2697 2698 d74b94-d74ba8 2695->2698 2699 d74a4c-d74b59 2695->2699 2696->2695 2697->2691 2701 d74cd4-d74ce8 2698->2701 2702 d74bae-d74bc2 2698->2702 2699->2698 2705 d74f74-d74f88 2701->2705 2706 d74cee-d74f2d 2701->2706 2708 d74bc4-d74bcb 2702->2708 2709 d74bd0-d74be4 2702->2709 2710 d74fe2-d74ff6 2705->2710 2711 d74f8a-d74f9b 2705->2711 2706->2705 2715 d74c48-d74c5c 2708->2715 2712 d74be6-d74bed 2709->2712 2713 d74bef-d74c03 2709->2713 2720 d75045-d75059 2710->2720 2721 d74ff8-d74ffe 2710->2721 2711->2710 2712->2715 2718 d74c05-d74c0c 2713->2718 2719 d74c0e-d74c22 2713->2719 2722 d74c76-d74c82 2715->2722 2723 d74c5e-d74c74 2715->2723 2718->2715 2725 d74c24-d74c2b 2719->2725 2726 d74c2d-d74c41 2719->2726 2727 d750a2-d750b6 2720->2727 2728 d7505b 2720->2728 2721->2720 2729 d74c8d 2722->2729 2723->2729 2725->2715 2726->2715 2736 d74c43-d74c45 2726->2736 2731 d7512d-d75141 2727->2731 2732 d750b8-d750e1 2727->2732 2728->2727 2729->2701 2739 d75147-d75363 2731->2739 2740 d753b4-d753c8 2731->2740 2732->2731 2736->2715 3109 d75367 2739->3109 3110 d75365 2739->3110 2742 d7549e-d754b2 2740->2742 2743 d753ce-d75457 2740->2743 2747 d7566f-d75683 2742->2747 2748 d754b8-d75628 2742->2748 2743->2742 2754 d757e6-d757fa 2747->2754 2755 d75689-d7579f 2747->2755 2748->2747 2759 d75800-d75916 2754->2759 2760 d7595d-d75971 2754->2760 2755->2754 2759->2760 2762 d75977-d75a8d 2760->2762 2763 d75ad4-d75ae8 2760->2763 2762->2763 2769 d75aee-d75c04 2763->2769 2770 d75c4b-d75c5f 2763->2770 2769->2770 2778 d75c65-d75d7b 2770->2778 2779 d75dc2-d75dd6 2770->2779 2778->2779 2787 d75ddc-d75ef2 2779->2787 2788 d75f39-d75f4d 2779->2788 2787->2788 2792 d75f53-d76069 2788->2792 2793 d760b0-d760c4 2788->2793 2792->2793 2801 d76227-d7623b 2793->2801 2802 d760ca-d761e0 2793->2802 2810 d76241-d76357 2801->2810 2811 d7639e-d763b2 2801->2811 2802->2801 2810->2811 2817 d76536-d7654a 2811->2817 2818 d763b8-d763fd call d74278 2811->2818 2831 d76550-d7656f 2817->2831 2832 d7668d-d766a1 2817->2832 2948 d764bd-d764df 2818->2948 2866 d76614-d76636 2831->2866 2835 d766a7-d767a7 2832->2835 2836 d767ee-d76802 2832->2836 2835->2836 2851 d7694f-d76963 2836->2851 2852 d76808-d76908 2836->2852 2860 d76ab0-d76ada 2851->2860 2861 d76969-d76a69 2851->2861 2852->2851 2880 d76ae0-d76b53 2860->2880 2881 d76b9a-d76bae 2860->2881 2861->2860 2867 d76574-d76583 2866->2867 2868 d7663c 2866->2868 2885 d7663e 2867->2885 2886 d76589-d765bc 2867->2886 2868->2832 2880->2881 2896 d76bb4-d76c0b 2881->2896 2897 d76c8b-d76c9f 2881->2897 2904 d76643-d7668b 2885->2904 2976 d76603-d7660c 2886->2976 2977 d765be-d765f8 2886->2977 3028 d76c12-d76c44 2896->3028 2902 d76de5-d76df9 2897->2902 2903 d76ca5-d76d9e 2897->2903 2924 d76dff-d76e4f 2902->2924 2925 d7705c-d77070 2902->2925 2903->2902 2904->2832 3036 d76e51-d76e77 2924->3036 3037 d76ebd-d76ee8 2924->3037 2939 d77076-d77111 call d74278 * 2 2925->2939 2940 d77158-d7715f 2925->2940 2939->2940 2965 d764e5 2948->2965 2966 d76402-d76411 2948->2966 2965->2817 2973 d764e7 2966->2973 2974 d76417-d764b5 2966->2974 2994 d764ec-d76534 2973->2994 2974->2994 3111 d764b7 2974->3111 2976->2904 2984 d7660e 2976->2984 2977->2976 2984->2866 2994->2817 3028->2897 3112 d76e79-d76e99 3036->3112 3113 d76eb8 3036->3113 3115 d76fc6-d77057 3037->3115 3116 d76eee-d76fc1 3037->3116 3121 d7536d 3109->3121 3177 d75367 call d771c1 3109->3177 3110->3121 3111->2948 3112->3113 3113->2925 3115->2925 3116->2925 3121->2740 3177->3121
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $:@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-2159143268
                                  • Opcode ID: 59e7e96cd9ef7aa8692560c82799bb92b57acf9e2fb632b505e54c71f0b0d34f
                                  • Instruction ID: c1e860d10c880b5c018ca2c4e93048b564ce13c8ab277b5c52e1d70df0ce0840
                                  • Opcode Fuzzy Hash: 59e7e96cd9ef7aa8692560c82799bb92b57acf9e2fb632b505e54c71f0b0d34f
                                  • Instruction Fuzzy Hash: D2F24974A02228CFDB25EF24DD54BA9B7B2FB48304F1081EAD90A67794DB359E85CF50
                                  Function 00D747D4 Relevance: 11.5, Strings: 8, Instructions: 1513COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3178 d747d4-d74821 3185 d74827-d74934 3178->3185 3186 d7496f-d74983 3178->3186 3185->3186 3187 d749d6-d749ea 3186->3187 3188 d74985-d7498b call d74210 3186->3188 3191 d74a32-d74a46 3187->3191 3192 d749ec-d749f7 3187->3192 3193 d74990-d7499b 3188->3193 3194 d74b94-d74ba8 3191->3194 3195 d74a4c-d74b59 3191->3195 3192->3191 3193->3187 3197 d74cd4-d74ce8 3194->3197 3198 d74bae-d74bc2 3194->3198 3195->3194 3201 d74f74-d74f88 3197->3201 3202 d74cee-d74f2d 3197->3202 3204 d74bc4-d74bcb 3198->3204 3205 d74bd0-d74be4 3198->3205 3206 d74fe2-d74ff6 3201->3206 3207 d74f8a-d74f9b 3201->3207 3202->3201 3211 d74c48-d74c5c 3204->3211 3208 d74be6-d74bed 3205->3208 3209 d74bef-d74c03 3205->3209 3216 d75045-d75059 3206->3216 3217 d74ff8-d74ffe 3206->3217 3207->3206 3208->3211 3214 d74c05-d74c0c 3209->3214 3215 d74c0e-d74c22 3209->3215 3218 d74c76-d74c82 3211->3218 3219 d74c5e-d74c74 3211->3219 3214->3211 3221 d74c24-d74c2b 3215->3221 3222 d74c2d-d74c41 3215->3222 3223 d750a2-d750b6 3216->3223 3224 d7505b 3216->3224 3217->3216 3225 d74c8d 3218->3225 3219->3225 3221->3211 3222->3211 3232 d74c43-d74c45 3222->3232 3227 d7512d-d75141 3223->3227 3228 d750b8-d750e1 3223->3228 3224->3223 3225->3197 3235 d75147-d75363 3227->3235 3236 d753b4-d753c8 3227->3236 3228->3227 3232->3211 3605 d75367 3235->3605 3606 d75365 3235->3606 3238 d7549e-d754b2 3236->3238 3239 d753ce-d75457 3236->3239 3243 d7566f-d75683 3238->3243 3244 d754b8-d75628 3238->3244 3239->3238 3250 d757e6-d757fa 3243->3250 3251 d75689-d7579f 3243->3251 3244->3243 3255 d75800-d75916 3250->3255 3256 d7595d-d75971 3250->3256 3251->3250 3255->3256 3258 d75977-d75a8d 3256->3258 3259 d75ad4-d75ae8 3256->3259 3258->3259 3265 d75aee-d75c04 3259->3265 3266 d75c4b-d75c5f 3259->3266 3265->3266 3274 d75c65-d75d7b 3266->3274 3275 d75dc2-d75dd6 3266->3275 3274->3275 3283 d75ddc-d75ef2 3275->3283 3284 d75f39-d75f4d 3275->3284 3283->3284 3288 d75f53-d76069 3284->3288 3289 d760b0-d760c4 3284->3289 3288->3289 3297 d76227-d7623b 3289->3297 3298 d760ca-d761e0 3289->3298 3306 d76241-d76357 3297->3306 3307 d7639e-d763b2 3297->3307 3298->3297 3306->3307 3313 d76536-d7654a 3307->3313 3314 d763b8-d763fd call d74278 3307->3314 3327 d76550-d7656f 3313->3327 3328 d7668d-d766a1 3313->3328 3444 d764bd-d764df 3314->3444 3362 d76614-d76636 3327->3362 3331 d766a7-d767a7 3328->3331 3332 d767ee-d76802 3328->3332 3331->3332 3347 d7694f-d76963 3332->3347 3348 d76808-d76908 3332->3348 3356 d76ab0-d76ada 3347->3356 3357 d76969-d76a69 3347->3357 3348->3347 3376 d76ae0-d76b53 3356->3376 3377 d76b9a-d76bae 3356->3377 3357->3356 3363 d76574-d76583 3362->3363 3364 d7663c 3362->3364 3381 d7663e 3363->3381 3382 d76589-d765bc 3363->3382 3364->3328 3376->3377 3392 d76bb4-d76c0b 3377->3392 3393 d76c8b-d76c9f 3377->3393 3400 d76643-d7668b 3381->3400 3472 d76603-d7660c 3382->3472 3473 d765be-d765f8 3382->3473 3524 d76c12-d76c44 3392->3524 3398 d76de5-d76df9 3393->3398 3399 d76ca5-d76d9e 3393->3399 3420 d76dff-d76e4f 3398->3420 3421 d7705c-d77070 3398->3421 3399->3398 3400->3328 3532 d76e51-d76e77 3420->3532 3533 d76ebd-d76ee8 3420->3533 3435 d77076-d77111 call d74278 * 2 3421->3435 3436 d77158-d7715f 3421->3436 3435->3436 3461 d764e5 3444->3461 3462 d76402-d76411 3444->3462 3461->3313 3469 d764e7 3462->3469 3470 d76417-d764b5 3462->3470 3490 d764ec-d76534 3469->3490 3470->3490 3607 d764b7 3470->3607 3472->3400 3480 d7660e 3472->3480 3473->3472 3480->3362 3490->3313 3524->3393 3608 d76e79-d76e99 3532->3608 3609 d76eb8 3532->3609 3611 d76fc6-d77057 3533->3611 3612 d76eee-d76fc1 3533->3612 3617 d7536d 3605->3617 3673 d75367 call d771c1 3605->3673 3606->3617 3607->3444 3608->3609 3609->3421 3611->3421 3612->3421 3617->3236 3673->3617
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $:@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-2159143268
                                  • Opcode ID: 4dcdc43dd55633e74eb5ecb7b018edd4196029e1d924118e7ded0261bc057e28
                                  • Instruction ID: e7e619b7438aa0935ae8e9186c002db32511c3fc99120623e6634fbbcf83df10
                                  • Opcode Fuzzy Hash: 4dcdc43dd55633e74eb5ecb7b018edd4196029e1d924118e7ded0261bc057e28
                                  • Instruction Fuzzy Hash: 09F24974A02228CFDB25EF24DD54BA9B7B2FB48304F1081EAD90A67794DB319E85CF50
                                  Function 00D74936 Relevance: 11.5, Strings: 8, Instructions: 1456COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3674 d74936-d74983 3681 d749d6-d749ea 3674->3681 3682 d74985-d7498b call d74210 3674->3682 3684 d74a32-d74a46 3681->3684 3685 d749ec-d749f7 3681->3685 3686 d74990-d7499b 3682->3686 3687 d74b94-d74ba8 3684->3687 3688 d74a4c-d74b59 3684->3688 3685->3684 3686->3681 3689 d74cd4-d74ce8 3687->3689 3690 d74bae-d74bc2 3687->3690 3688->3687 3693 d74f74-d74f88 3689->3693 3694 d74cee-d74f2d 3689->3694 3696 d74bc4-d74bcb 3690->3696 3697 d74bd0-d74be4 3690->3697 3698 d74fe2-d74ff6 3693->3698 3699 d74f8a-d74f9b 3693->3699 3694->3693 3702 d74c48-d74c5c 3696->3702 3700 d74be6-d74bed 3697->3700 3701 d74bef-d74c03 3697->3701 3707 d75045-d75059 3698->3707 3708 d74ff8-d74ffe 3698->3708 3699->3698 3700->3702 3705 d74c05-d74c0c 3701->3705 3706 d74c0e-d74c22 3701->3706 3709 d74c76-d74c82 3702->3709 3710 d74c5e-d74c74 3702->3710 3705->3702 3712 d74c24-d74c2b 3706->3712 3713 d74c2d-d74c41 3706->3713 3714 d750a2-d750b6 3707->3714 3715 d7505b 3707->3715 3708->3707 3716 d74c8d 3709->3716 3710->3716 3712->3702 3713->3702 3722 d74c43-d74c45 3713->3722 3717 d7512d-d75141 3714->3717 3718 d750b8-d750e1 3714->3718 3715->3714 3716->3689 3724 d75147-d75363 3717->3724 3725 d753b4-d753c8 3717->3725 3718->3717 3722->3702 4085 d75367 3724->4085 4086 d75365 3724->4086 3727 d7549e-d754b2 3725->3727 3728 d753ce-d75457 3725->3728 3732 d7566f-d75683 3727->3732 3733 d754b8-d75628 3727->3733 3728->3727 3738 d757e6-d757fa 3732->3738 3739 d75689-d7579f 3732->3739 3733->3732 3742 d75800-d75916 3738->3742 3743 d7595d-d75971 3738->3743 3739->3738 3742->3743 3745 d75977-d75a8d 3743->3745 3746 d75ad4-d75ae8 3743->3746 3745->3746 3752 d75aee-d75c04 3746->3752 3753 d75c4b-d75c5f 3746->3753 3752->3753 3760 d75c65-d75d7b 3753->3760 3761 d75dc2-d75dd6 3753->3761 3760->3761 3768 d75ddc-d75ef2 3761->3768 3769 d75f39-d75f4d 3761->3769 3768->3769 3772 d75f53-d76069 3769->3772 3773 d760b0-d760c4 3769->3773 3772->3773 3782 d76227-d7623b 3773->3782 3783 d760ca-d761e0 3773->3783 3790 d76241-d76357 3782->3790 3791 d7639e-d763b2 3782->3791 3783->3782 3790->3791 3797 d76536-d7654a 3791->3797 3798 d763b8-d763fd call d74278 3791->3798 3810 d76550-d7656f 3797->3810 3811 d7668d-d766a1 3797->3811 3924 d764bd-d764df 3798->3924 3843 d76614-d76636 3810->3843 3814 d766a7-d767a7 3811->3814 3815 d767ee-d76802 3811->3815 3814->3815 3828 d7694f-d76963 3815->3828 3829 d76808-d76908 3815->3829 3837 d76ab0-d76ada 3828->3837 3838 d76969-d76a69 3828->3838 3829->3828 3856 d76ae0-d76b53 3837->3856 3857 d76b9a-d76bae 3837->3857 3838->3837 3844 d76574-d76583 3843->3844 3845 d7663c 3843->3845 3861 d7663e 3844->3861 3862 d76589-d765bc 3844->3862 3845->3811 3856->3857 3872 d76bb4-d76c0b 3857->3872 3873 d76c8b-d76c9f 3857->3873 3880 d76643-d7668b 3861->3880 3952 d76603-d7660c 3862->3952 3953 d765be-d765f8 3862->3953 4004 d76c12-d76c44 3872->4004 3878 d76de5-d76df9 3873->3878 3879 d76ca5-d76d9e 3873->3879 3900 d76dff-d76e4f 3878->3900 3901 d7705c-d77070 3878->3901 3879->3878 3880->3811 4012 d76e51-d76e77 3900->4012 4013 d76ebd-d76ee8 3900->4013 3915 d77076-d77111 call d74278 * 2 3901->3915 3916 d77158-d7715f 3901->3916 3915->3916 3941 d764e5 3924->3941 3942 d76402-d76411 3924->3942 3941->3797 3949 d764e7 3942->3949 3950 d76417-d764b5 3942->3950 3970 d764ec-d76534 3949->3970 3950->3970 4087 d764b7 3950->4087 3952->3880 3960 d7660e 3952->3960 3953->3952 3960->3843 3970->3797 4004->3873 4088 d76e79-d76e99 4012->4088 4089 d76eb8 4012->4089 4091 d76fc6-d77057 4013->4091 4092 d76eee-d76fc1 4013->4092 4097 d7536d 4085->4097 4153 d75367 call d771c1 4085->4153 4086->4097 4087->3924 4088->4089 4089->3901 4091->3901 4092->3901 4097->3725 4153->4097
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $:@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-2159143268
                                  • Opcode ID: b448f89d0f65324b88839cade39ac2fbfc12900bdea71863216e1b2b86d15d2b
                                  • Instruction ID: 2aa80e348477b0207e215e664fcecfb7507c382200cb27624e8d7b99687e40a5
                                  • Opcode Fuzzy Hash: b448f89d0f65324b88839cade39ac2fbfc12900bdea71863216e1b2b86d15d2b
                                  • Instruction Fuzzy Hash: 75F24974A06228CFDB25EF24DD54BA9B7B2FB48304F1081EAD90A67794DB319E85CF50
                                  Function 00D7499D Relevance: 11.4, Strings: 8, Instructions: 1447COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4154 d7499d-d749ea 4161 d74a32-d74a46 4154->4161 4162 d749ec-d749f7 4154->4162 4163 d74b94-d74ba8 4161->4163 4164 d74a4c-d74b59 4161->4164 4162->4161 4165 d74cd4-d74ce8 4163->4165 4166 d74bae-d74bc2 4163->4166 4164->4163 4169 d74f74-d74f88 4165->4169 4170 d74cee-d74f2d 4165->4170 4171 d74bc4-d74bcb 4166->4171 4172 d74bd0-d74be4 4166->4172 4173 d74fe2-d74ff6 4169->4173 4174 d74f8a-d74f9b 4169->4174 4170->4169 4177 d74c48-d74c5c 4171->4177 4175 d74be6-d74bed 4172->4175 4176 d74bef-d74c03 4172->4176 4182 d75045-d75059 4173->4182 4183 d74ff8-d74ffe 4173->4183 4174->4173 4175->4177 4180 d74c05-d74c0c 4176->4180 4181 d74c0e-d74c22 4176->4181 4184 d74c76-d74c82 4177->4184 4185 d74c5e-d74c74 4177->4185 4180->4177 4187 d74c24-d74c2b 4181->4187 4188 d74c2d-d74c41 4181->4188 4189 d750a2-d750b6 4182->4189 4190 d7505b 4182->4190 4183->4182 4191 d74c8d 4184->4191 4185->4191 4187->4177 4188->4177 4197 d74c43-d74c45 4188->4197 4192 d7512d-d75141 4189->4192 4193 d750b8-d750e1 4189->4193 4190->4189 4191->4165 4199 d75147-d75363 4192->4199 4200 d753b4-d753c8 4192->4200 4193->4192 4197->4177 4560 d75367 4199->4560 4561 d75365 4199->4561 4202 d7549e-d754b2 4200->4202 4203 d753ce-d75457 4200->4203 4207 d7566f-d75683 4202->4207 4208 d754b8-d75628 4202->4208 4203->4202 4213 d757e6-d757fa 4207->4213 4214 d75689-d7579f 4207->4214 4208->4207 4217 d75800-d75916 4213->4217 4218 d7595d-d75971 4213->4218 4214->4213 4217->4218 4220 d75977-d75a8d 4218->4220 4221 d75ad4-d75ae8 4218->4221 4220->4221 4227 d75aee-d75c04 4221->4227 4228 d75c4b-d75c5f 4221->4228 4227->4228 4235 d75c65-d75d7b 4228->4235 4236 d75dc2-d75dd6 4228->4236 4235->4236 4243 d75ddc-d75ef2 4236->4243 4244 d75f39-d75f4d 4236->4244 4243->4244 4247 d75f53-d76069 4244->4247 4248 d760b0-d760c4 4244->4248 4247->4248 4257 d76227-d7623b 4248->4257 4258 d760ca-d761e0 4248->4258 4265 d76241-d76357 4257->4265 4266 d7639e-d763b2 4257->4266 4258->4257 4265->4266 4272 d76536-d7654a 4266->4272 4273 d763b8-d763fd call d74278 4266->4273 4285 d76550-d7656f 4272->4285 4286 d7668d-d766a1 4272->4286 4399 d764bd-d764df 4273->4399 4318 d76614-d76636 4285->4318 4289 d766a7-d767a7 4286->4289 4290 d767ee-d76802 4286->4290 4289->4290 4303 d7694f-d76963 4290->4303 4304 d76808-d76908 4290->4304 4312 d76ab0-d76ada 4303->4312 4313 d76969-d76a69 4303->4313 4304->4303 4331 d76ae0-d76b53 4312->4331 4332 d76b9a-d76bae 4312->4332 4313->4312 4319 d76574-d76583 4318->4319 4320 d7663c 4318->4320 4336 d7663e 4319->4336 4337 d76589-d765bc 4319->4337 4320->4286 4331->4332 4347 d76bb4-d76c0b 4332->4347 4348 d76c8b-d76c9f 4332->4348 4355 d76643-d7668b 4336->4355 4427 d76603-d7660c 4337->4427 4428 d765be-d765f8 4337->4428 4479 d76c12-d76c44 4347->4479 4353 d76de5-d76df9 4348->4353 4354 d76ca5-d76d9e 4348->4354 4375 d76dff-d76e4f 4353->4375 4376 d7705c-d77070 4353->4376 4354->4353 4355->4286 4487 d76e51-d76e77 4375->4487 4488 d76ebd-d76ee8 4375->4488 4390 d77076-d77111 call d74278 * 2 4376->4390 4391 d77158-d7715f 4376->4391 4390->4391 4416 d764e5 4399->4416 4417 d76402-d76411 4399->4417 4416->4272 4424 d764e7 4417->4424 4425 d76417-d764b5 4417->4425 4445 d764ec-d76534 4424->4445 4425->4445 4562 d764b7 4425->4562 4427->4355 4435 d7660e 4427->4435 4428->4427 4435->4318 4445->4272 4479->4348 4563 d76e79-d76e99 4487->4563 4564 d76eb8 4487->4564 4566 d76fc6-d77057 4488->4566 4567 d76eee-d76fc1 4488->4567 4572 d7536d 4560->4572 4628 d75367 call d771c1 4560->4628 4561->4572 4562->4399 4563->4564 4564->4376 4566->4376 4567->4376 4572->4200 4628->4572
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $:@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-2159143268
                                  • Opcode ID: bb7651017ddeb25ada44ef39b7b4e8343a5cfb3f8b0b76bcb287afedc51094b5
                                  • Instruction ID: d8078fe909421d3556eef58052393b8ab9b251f5eda3d6766380d8fc403eaa52
                                  • Opcode Fuzzy Hash: bb7651017ddeb25ada44ef39b7b4e8343a5cfb3f8b0b76bcb287afedc51094b5
                                  • Instruction Fuzzy Hash: 88F24974A06228CFDB25EF24DD54BA9B7B2FB48304F1081EAD90A67794DB319E85CF50
                                  Function 00D749F9 Relevance: 11.4, Strings: 8, Instructions: 1440COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4629 d749f9-d74a46 4636 d74b94-d74ba8 4629->4636 4637 d74a4c-d74b59 4629->4637 4638 d74cd4-d74ce8 4636->4638 4639 d74bae-d74bc2 4636->4639 4637->4636 4641 d74f74-d74f88 4638->4641 4642 d74cee-d74f2d 4638->4642 4643 d74bc4-d74bcb 4639->4643 4644 d74bd0-d74be4 4639->4644 4645 d74fe2-d74ff6 4641->4645 4646 d74f8a-d74f9b 4641->4646 4642->4641 4649 d74c48-d74c5c 4643->4649 4647 d74be6-d74bed 4644->4647 4648 d74bef-d74c03 4644->4648 4654 d75045-d75059 4645->4654 4655 d74ff8-d74ffe 4645->4655 4646->4645 4647->4649 4652 d74c05-d74c0c 4648->4652 4653 d74c0e-d74c22 4648->4653 4656 d74c76-d74c82 4649->4656 4657 d74c5e-d74c74 4649->4657 4652->4649 4659 d74c24-d74c2b 4653->4659 4660 d74c2d-d74c41 4653->4660 4661 d750a2-d750b6 4654->4661 4662 d7505b 4654->4662 4655->4654 4663 d74c8d 4656->4663 4657->4663 4659->4649 4660->4649 4669 d74c43-d74c45 4660->4669 4664 d7512d-d75141 4661->4664 4665 d750b8-d750e1 4661->4665 4662->4661 4663->4638 4671 d75147-d75363 4664->4671 4672 d753b4-d753c8 4664->4672 4665->4664 4669->4649 5032 d75367 4671->5032 5033 d75365 4671->5033 4674 d7549e-d754b2 4672->4674 4675 d753ce-d75457 4672->4675 4679 d7566f-d75683 4674->4679 4680 d754b8-d75628 4674->4680 4675->4674 4685 d757e6-d757fa 4679->4685 4686 d75689-d7579f 4679->4686 4680->4679 4689 d75800-d75916 4685->4689 4690 d7595d-d75971 4685->4690 4686->4685 4689->4690 4692 d75977-d75a8d 4690->4692 4693 d75ad4-d75ae8 4690->4693 4692->4693 4699 d75aee-d75c04 4693->4699 4700 d75c4b-d75c5f 4693->4700 4699->4700 4707 d75c65-d75d7b 4700->4707 4708 d75dc2-d75dd6 4700->4708 4707->4708 4715 d75ddc-d75ef2 4708->4715 4716 d75f39-d75f4d 4708->4716 4715->4716 4719 d75f53-d76069 4716->4719 4720 d760b0-d760c4 4716->4720 4719->4720 4729 d76227-d7623b 4720->4729 4730 d760ca-d761e0 4720->4730 4737 d76241-d76357 4729->4737 4738 d7639e-d763b2 4729->4738 4730->4729 4737->4738 4744 d76536-d7654a 4738->4744 4745 d763b8-d763fd call d74278 4738->4745 4757 d76550-d7656f 4744->4757 4758 d7668d-d766a1 4744->4758 4871 d764bd-d764df 4745->4871 4790 d76614-d76636 4757->4790 4761 d766a7-d767a7 4758->4761 4762 d767ee-d76802 4758->4762 4761->4762 4775 d7694f-d76963 4762->4775 4776 d76808-d76908 4762->4776 4784 d76ab0-d76ada 4775->4784 4785 d76969-d76a69 4775->4785 4776->4775 4803 d76ae0-d76b53 4784->4803 4804 d76b9a-d76bae 4784->4804 4785->4784 4791 d76574-d76583 4790->4791 4792 d7663c 4790->4792 4808 d7663e 4791->4808 4809 d76589-d765bc 4791->4809 4792->4758 4803->4804 4819 d76bb4-d76c0b 4804->4819 4820 d76c8b-d76c9f 4804->4820 4827 d76643-d7668b 4808->4827 4899 d76603-d7660c 4809->4899 4900 d765be-d765f8 4809->4900 4951 d76c12-d76c44 4819->4951 4825 d76de5-d76df9 4820->4825 4826 d76ca5-d76d9e 4820->4826 4847 d76dff-d76e4f 4825->4847 4848 d7705c-d77070 4825->4848 4826->4825 4827->4758 4959 d76e51-d76e77 4847->4959 4960 d76ebd-d76ee8 4847->4960 4862 d77076-d77111 call d74278 * 2 4848->4862 4863 d77158-d7715f 4848->4863 4862->4863 4888 d764e5 4871->4888 4889 d76402-d76411 4871->4889 4888->4744 4896 d764e7 4889->4896 4897 d76417-d764b5 4889->4897 4917 d764ec-d76534 4896->4917 4897->4917 5034 d764b7 4897->5034 4899->4827 4907 d7660e 4899->4907 4900->4899 4907->4790 4917->4744 4951->4820 5035 d76e79-d76e99 4959->5035 5036 d76eb8 4959->5036 5038 d76fc6-d77057 4960->5038 5039 d76eee-d76fc1 4960->5039 5044 d7536d 5032->5044 5100 d75367 call d771c1 5032->5100 5033->5044 5034->4871 5035->5036 5036->4848 5038->4848 5039->4848 5044->4672 5100->5044
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $:@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-2159143268
                                  • Opcode ID: 5547b311a7bce4943db20a3c16393e221978362acceca99238e6860b9aae8e83
                                  • Instruction ID: 6df07876a2058a59145631d8be3aa2b01e822c203a6b2e208ef0ebe5ab464e9d
                                  • Opcode Fuzzy Hash: 5547b311a7bce4943db20a3c16393e221978362acceca99238e6860b9aae8e83
                                  • Instruction Fuzzy Hash: FCF24874A06228CFDB25EF24DD54BA9B7B2FB48304F1081EAD90A67794DB319E85CF50
                                  Function 00D74B5B Relevance: 11.4, Strings: 8, Instructions: 1383COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 5101 d74b5b-d74ba8 5108 d74cd4-d74ce8 5101->5108 5109 d74bae-d74bc2 5101->5109 5110 d74f74-d74f88 5108->5110 5111 d74cee-d74f2d 5108->5111 5112 d74bc4-d74bcb 5109->5112 5113 d74bd0-d74be4 5109->5113 5114 d74fe2-d74ff6 5110->5114 5115 d74f8a-d74f9b 5110->5115 5111->5110 5118 d74c48-d74c5c 5112->5118 5116 d74be6-d74bed 5113->5116 5117 d74bef-d74c03 5113->5117 5122 d75045-d75059 5114->5122 5123 d74ff8-d74ffe 5114->5123 5115->5114 5116->5118 5120 d74c05-d74c0c 5117->5120 5121 d74c0e-d74c22 5117->5121 5124 d74c76-d74c82 5118->5124 5125 d74c5e-d74c74 5118->5125 5120->5118 5127 d74c24-d74c2b 5121->5127 5128 d74c2d-d74c41 5121->5128 5129 d750a2-d750b6 5122->5129 5130 d7505b 5122->5130 5123->5122 5131 d74c8d 5124->5131 5125->5131 5127->5118 5128->5118 5136 d74c43-d74c45 5128->5136 5132 d7512d-d75141 5129->5132 5133 d750b8-d750e1 5129->5133 5130->5129 5131->5108 5138 d75147-d75363 5132->5138 5139 d753b4-d753c8 5132->5139 5133->5132 5136->5118 5488 d75367 5138->5488 5489 d75365 5138->5489 5141 d7549e-d754b2 5139->5141 5142 d753ce-d75457 5139->5142 5145 d7566f-d75683 5141->5145 5146 d754b8-d75628 5141->5146 5142->5141 5150 d757e6-d757fa 5145->5150 5151 d75689-d7579f 5145->5151 5146->5145 5154 d75800-d75916 5150->5154 5155 d7595d-d75971 5150->5155 5151->5150 5154->5155 5157 d75977-d75a8d 5155->5157 5158 d75ad4-d75ae8 5155->5158 5157->5158 5163 d75aee-d75c04 5158->5163 5164 d75c4b-d75c5f 5158->5164 5163->5164 5170 d75c65-d75d7b 5164->5170 5171 d75dc2-d75dd6 5164->5171 5170->5171 5178 d75ddc-d75ef2 5171->5178 5179 d75f39-d75f4d 5171->5179 5178->5179 5182 d75f53-d76069 5179->5182 5183 d760b0-d760c4 5179->5183 5182->5183 5189 d76227-d7623b 5183->5189 5190 d760ca-d761e0 5183->5190 5198 d76241-d76357 5189->5198 5199 d7639e-d763b2 5189->5199 5190->5189 5198->5199 5205 d76536-d7654a 5199->5205 5206 d763b8-d763fd call d74278 5199->5206 5217 d76550-d7656f 5205->5217 5218 d7668d-d766a1 5205->5218 5327 d764bd-d764df 5206->5327 5249 d76614-d76636 5217->5249 5221 d766a7-d767a7 5218->5221 5222 d767ee-d76802 5218->5222 5221->5222 5234 d7694f-d76963 5222->5234 5235 d76808-d76908 5222->5235 5243 d76ab0-d76ada 5234->5243 5244 d76969-d76a69 5234->5244 5235->5234 5261 d76ae0-d76b53 5243->5261 5262 d76b9a-d76bae 5243->5262 5244->5243 5250 d76574-d76583 5249->5250 5251 d7663c 5249->5251 5265 d7663e 5250->5265 5266 d76589-d765bc 5250->5266 5251->5218 5261->5262 5276 d76bb4-d76c0b 5262->5276 5277 d76c8b-d76c9f 5262->5277 5284 d76643-d7668b 5265->5284 5355 d76603-d7660c 5266->5355 5356 d765be-d765f8 5266->5356 5407 d76c12-d76c44 5276->5407 5282 d76de5-d76df9 5277->5282 5283 d76ca5-d76d9e 5277->5283 5303 d76dff-d76e4f 5282->5303 5304 d7705c-d77070 5282->5304 5283->5282 5284->5218 5415 d76e51-d76e77 5303->5415 5416 d76ebd-d76ee8 5303->5416 5318 d77076-d77111 call d74278 * 2 5304->5318 5319 d77158-d7715f 5304->5319 5318->5319 5344 d764e5 5327->5344 5345 d76402-d76411 5327->5345 5344->5205 5352 d764e7 5345->5352 5353 d76417-d764b5 5345->5353 5373 d764ec-d76534 5352->5373 5353->5373 5490 d764b7 5353->5490 5355->5284 5363 d7660e 5355->5363 5356->5355 5363->5249 5373->5205 5407->5277 5491 d76e79-d76e99 5415->5491 5492 d76eb8 5415->5492 5494 d76fc6-d77057 5416->5494 5495 d76eee-d76fc1 5416->5495 5500 d7536d 5488->5500 5556 d75367 call d771c1 5488->5556 5489->5500 5490->5327 5491->5492 5492->5304 5494->5304 5495->5304 5500->5139 5556->5500
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $:@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-2159143268
                                  • Opcode ID: b2a998132bdc9fc934c6a5e184ae93ca3e629bebbc66f6d7cf1c70ae1facc747
                                  • Instruction ID: a298ad96510489fde1cb2423e398ffa6dad8316ede3f901fd9f3e351546aca35
                                  • Opcode Fuzzy Hash: b2a998132bdc9fc934c6a5e184ae93ca3e629bebbc66f6d7cf1c70ae1facc747
                                  • Instruction Fuzzy Hash: 25E24974A06228CFDB25EF34D954BA9B7B2FB48304F1081EAD90A67794DB319E85CF50
                                  Function 00D74C8F Relevance: 10.1, Strings: 7, Instructions: 1362COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 5557 d74c8f-d74ce8 5564 d74f74-d74f88 5557->5564 5565 d74cee-d74f2d 5557->5565 5566 d74fe2-d74ff6 5564->5566 5567 d74f8a-d74f9b 5564->5567 5565->5564 5569 d75045-d75059 5566->5569 5570 d74ff8-d74ffe 5566->5570 5567->5566 5572 d750a2-d750b6 5569->5572 5573 d7505b 5569->5573 5570->5569 5574 d7512d-d75141 5572->5574 5575 d750b8-d750e1 5572->5575 5573->5572 5578 d75147-d75363 5574->5578 5579 d753b4-d753c8 5574->5579 5575->5574 5928 d75367 5578->5928 5929 d75365 5578->5929 5581 d7549e-d754b2 5579->5581 5582 d753ce-d75457 5579->5582 5585 d7566f-d75683 5581->5585 5586 d754b8-d75628 5581->5586 5582->5581 5590 d757e6-d757fa 5585->5590 5591 d75689-d7579f 5585->5591 5586->5585 5594 d75800-d75916 5590->5594 5595 d7595d-d75971 5590->5595 5591->5590 5594->5595 5597 d75977-d75a8d 5595->5597 5598 d75ad4-d75ae8 5595->5598 5597->5598 5603 d75aee-d75c04 5598->5603 5604 d75c4b-d75c5f 5598->5604 5603->5604 5610 d75c65-d75d7b 5604->5610 5611 d75dc2-d75dd6 5604->5611 5610->5611 5618 d75ddc-d75ef2 5611->5618 5619 d75f39-d75f4d 5611->5619 5618->5619 5622 d75f53-d76069 5619->5622 5623 d760b0-d760c4 5619->5623 5622->5623 5629 d76227-d7623b 5623->5629 5630 d760ca-d761e0 5623->5630 5638 d76241-d76357 5629->5638 5639 d7639e-d763b2 5629->5639 5630->5629 5638->5639 5645 d76536-d7654a 5639->5645 5646 d763b8-d763fd call d74278 5639->5646 5657 d76550-d7656f 5645->5657 5658 d7668d-d766a1 5645->5658 5767 d764bd-d764df 5646->5767 5689 d76614-d76636 5657->5689 5661 d766a7-d767a7 5658->5661 5662 d767ee-d76802 5658->5662 5661->5662 5674 d7694f-d76963 5662->5674 5675 d76808-d76908 5662->5675 5683 d76ab0-d76ada 5674->5683 5684 d76969-d76a69 5674->5684 5675->5674 5701 d76ae0-d76b53 5683->5701 5702 d76b9a-d76bae 5683->5702 5684->5683 5690 d76574-d76583 5689->5690 5691 d7663c 5689->5691 5705 d7663e 5690->5705 5706 d76589-d765bc 5690->5706 5691->5658 5701->5702 5716 d76bb4-d76c0b 5702->5716 5717 d76c8b-d76c9f 5702->5717 5724 d76643-d7668b 5705->5724 5795 d76603-d7660c 5706->5795 5796 d765be-d765f8 5706->5796 5847 d76c12-d76c44 5716->5847 5722 d76de5-d76df9 5717->5722 5723 d76ca5-d76d9e 5717->5723 5743 d76dff-d76e4f 5722->5743 5744 d7705c-d77070 5722->5744 5723->5722 5724->5658 5855 d76e51-d76e77 5743->5855 5856 d76ebd-d76ee8 5743->5856 5758 d77076-d77111 call d74278 * 2 5744->5758 5759 d77158-d7715f 5744->5759 5758->5759 5784 d764e5 5767->5784 5785 d76402-d76411 5767->5785 5784->5645 5792 d764e7 5785->5792 5793 d76417-d764b5 5785->5793 5813 d764ec-d76534 5792->5813 5793->5813 5930 d764b7 5793->5930 5795->5724 5803 d7660e 5795->5803 5796->5795 5803->5689 5813->5645 5847->5717 5931 d76e79-d76e99 5855->5931 5932 d76eb8 5855->5932 5934 d76fc6-d77057 5856->5934 5935 d76eee-d76fc1 5856->5935 5940 d7536d 5928->5940 5996 d75367 call d771c1 5928->5996 5929->5940 5930->5767 5931->5932 5932->5744 5934->5744 5935->5744 5940->5579 5996->5940
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l$:@2l$:@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-1757531996
                                  • Opcode ID: 9d6c1b0524bd2a685808533063382efc0b5d62d8bf0f5940b2c49f15fe268b3a
                                  • Instruction ID: 0a95b87d5d11a3124e2c97c0c83deda2a3b08184b5e45b247184f81fb99d5b04
                                  • Opcode Fuzzy Hash: 9d6c1b0524bd2a685808533063382efc0b5d62d8bf0f5940b2c49f15fe268b3a
                                  • Instruction Fuzzy Hash: B8E24974A06228CFDB25EF34D954BA9B7B2FB48304F1081EAD90A67794DB319E85CF50
                                  Function 00D74F2F Relevance: 6.2, Strings: 4, Instructions: 1245COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 5997 d74f2f-d74f88 6004 d74fe2-d74ff6 5997->6004 6005 d74f8a-d74f9b 5997->6005 6006 d75045-d75059 6004->6006 6007 d74ff8-d74ffe 6004->6007 6005->6004 6009 d750a2-d750b6 6006->6009 6010 d7505b 6006->6010 6007->6006 6011 d7512d-d75141 6009->6011 6012 d750b8-d750e1 6009->6012 6010->6009 6014 d75147-d75363 6011->6014 6015 d753b4-d753c8 6011->6015 6012->6011 6348 d75367 6014->6348 6349 d75365 6014->6349 6017 d7549e-d754b2 6015->6017 6018 d753ce-d75457 6015->6018 6020 d7566f-d75683 6017->6020 6021 d754b8-d75628 6017->6021 6018->6017 6025 d757e6-d757fa 6020->6025 6026 d75689-d7579f 6020->6026 6021->6020 6028 d75800-d75916 6025->6028 6029 d7595d-d75971 6025->6029 6026->6025 6028->6029 6031 d75977-d75a8d 6029->6031 6032 d75ad4-d75ae8 6029->6032 6031->6032 6036 d75aee-d75c04 6032->6036 6037 d75c4b-d75c5f 6032->6037 6036->6037 6043 d75c65-d75d7b 6037->6043 6044 d75dc2-d75dd6 6037->6044 6043->6044 6050 d75ddc-d75ef2 6044->6050 6051 d75f39-d75f4d 6044->6051 6050->6051 6053 d75f53-d76069 6051->6053 6054 d760b0-d760c4 6051->6054 6053->6054 6060 d76227-d7623b 6054->6060 6061 d760ca-d761e0 6054->6061 6067 d76241-d76357 6060->6067 6068 d7639e-d763b2 6060->6068 6061->6060 6067->6068 6074 d76536-d7654a 6068->6074 6075 d763b8-d763fd call d74278 6068->6075 6086 d76550-d7656f 6074->6086 6087 d7668d-d766a1 6074->6087 6191 d764bd-d764df 6075->6191 6117 d76614-d76636 6086->6117 6090 d766a7-d767a7 6087->6090 6091 d767ee-d76802 6087->6091 6090->6091 6102 d7694f-d76963 6091->6102 6103 d76808-d76908 6091->6103 6111 d76ab0-d76ada 6102->6111 6112 d76969-d76a69 6102->6112 6103->6102 6128 d76ae0-d76b53 6111->6128 6129 d76b9a-d76bae 6111->6129 6112->6111 6118 d76574-d76583 6117->6118 6119 d7663c 6117->6119 6132 d7663e 6118->6132 6133 d76589-d765bc 6118->6133 6119->6087 6128->6129 6142 d76bb4-d76c0b 6129->6142 6143 d76c8b-d76c9f 6129->6143 6150 d76643-d7668b 6132->6150 6218 d76603-d7660c 6133->6218 6219 d765be-d765f8 6133->6219 6266 d76c12-d76c44 6142->6266 6148 d76de5-d76df9 6143->6148 6149 d76ca5-d76d9e 6143->6149 6168 d76dff-d76e4f 6148->6168 6169 d7705c-d77070 6148->6169 6149->6148 6150->6087 6272 d76e51-d76e77 6168->6272 6273 d76ebd-d76ee8 6168->6273 6183 d77076-d77111 call d74278 * 2 6169->6183 6184 d77158-d7715f 6169->6184 6183->6184 6207 d764e5 6191->6207 6208 d76402-d76411 6191->6208 6207->6074 6215 d764e7 6208->6215 6216 d76417-d764b5 6208->6216 6236 d764ec-d76534 6215->6236 6216->6236 6353 d764b7 6216->6353 6218->6150 6223 d7660e 6218->6223 6219->6218 6223->6117 6236->6074 6266->6143 6346 d76e79-d76e99 6272->6346 6347 d76eb8 6272->6347 6351 d76fc6-d77057 6273->6351 6352 d76eee-d76fc1 6273->6352 6346->6347 6347->6169 6357 d7536d 6348->6357 6402 d75367 call d771c1 6348->6402 6349->6357 6351->6169 6352->6169 6353->6191 6357->6015 6402->6357
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-1774593142
                                  • Opcode ID: 3ffd1bf82433d793cecedc35a2d8d1f170e30af60673e1039f548aaa4a4e6a51
                                  • Instruction ID: 53c025cee5c281b8bcb4ae7197a493a6f2bddb12a14b5199fd127a13dee2708f
                                  • Opcode Fuzzy Hash: 3ffd1bf82433d793cecedc35a2d8d1f170e30af60673e1039f548aaa4a4e6a51
                                  • Instruction Fuzzy Hash: A6D23A74A06228CFDB65EF34D954BA9B7B2FB48304F1081EAD80A67794DB319E85CF50
                                  Function 00D74F9D Relevance: 6.2, Strings: 4, Instructions: 1236COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 6403 d74f9d-d74ff6 6410 d75045-d75059 6403->6410 6411 d74ff8-d74ffe 6403->6411 6412 d750a2-d750b6 6410->6412 6413 d7505b 6410->6413 6411->6410 6414 d7512d-d75141 6412->6414 6415 d750b8-d750e1 6412->6415 6413->6412 6417 d75147-d75363 6414->6417 6418 d753b4-d753c8 6414->6418 6415->6414 6750 d75367 6417->6750 6751 d75365 6417->6751 6419 d7549e-d754b2 6418->6419 6420 d753ce-d75457 6418->6420 6422 d7566f-d75683 6419->6422 6423 d754b8-d75628 6419->6423 6420->6419 6427 d757e6-d757fa 6422->6427 6428 d75689-d7579f 6422->6428 6423->6422 6430 d75800-d75916 6427->6430 6431 d7595d-d75971 6427->6431 6428->6427 6430->6431 6433 d75977-d75a8d 6431->6433 6434 d75ad4-d75ae8 6431->6434 6433->6434 6438 d75aee-d75c04 6434->6438 6439 d75c4b-d75c5f 6434->6439 6438->6439 6445 d75c65-d75d7b 6439->6445 6446 d75dc2-d75dd6 6439->6446 6445->6446 6452 d75ddc-d75ef2 6446->6452 6453 d75f39-d75f4d 6446->6453 6452->6453 6455 d75f53-d76069 6453->6455 6456 d760b0-d760c4 6453->6456 6455->6456 6462 d76227-d7623b 6456->6462 6463 d760ca-d761e0 6456->6463 6469 d76241-d76357 6462->6469 6470 d7639e-d763b2 6462->6470 6463->6462 6469->6470 6476 d76536-d7654a 6470->6476 6477 d763b8-d763fd call d74278 6470->6477 6488 d76550-d7656f 6476->6488 6489 d7668d-d766a1 6476->6489 6593 d764bd-d764df 6477->6593 6519 d76614-d76636 6488->6519 6492 d766a7-d767a7 6489->6492 6493 d767ee-d76802 6489->6493 6492->6493 6504 d7694f-d76963 6493->6504 6505 d76808-d76908 6493->6505 6513 d76ab0-d76ada 6504->6513 6514 d76969-d76a69 6504->6514 6505->6504 6530 d76ae0-d76b53 6513->6530 6531 d76b9a-d76bae 6513->6531 6514->6513 6520 d76574-d76583 6519->6520 6521 d7663c 6519->6521 6534 d7663e 6520->6534 6535 d76589-d765bc 6520->6535 6521->6489 6530->6531 6544 d76bb4-d76c0b 6531->6544 6545 d76c8b-d76c9f 6531->6545 6552 d76643-d7668b 6534->6552 6620 d76603-d7660c 6535->6620 6621 d765be-d765f8 6535->6621 6668 d76c12-d76c44 6544->6668 6550 d76de5-d76df9 6545->6550 6551 d76ca5-d76d9e 6545->6551 6570 d76dff-d76e4f 6550->6570 6571 d7705c-d77070 6550->6571 6551->6550 6552->6489 6674 d76e51-d76e77 6570->6674 6675 d76ebd-d76ee8 6570->6675 6585 d77076-d77111 call d74278 * 2 6571->6585 6586 d77158-d7715f 6571->6586 6585->6586 6609 d764e5 6593->6609 6610 d76402-d76411 6593->6610 6609->6476 6617 d764e7 6610->6617 6618 d76417-d764b5 6610->6618 6638 d764ec-d76534 6617->6638 6618->6638 6755 d764b7 6618->6755 6620->6552 6625 d7660e 6620->6625 6621->6620 6625->6519 6638->6476 6668->6545 6748 d76e79-d76e99 6674->6748 6749 d76eb8 6674->6749 6753 d76fc6-d77057 6675->6753 6754 d76eee-d76fc1 6675->6754 6748->6749 6749->6571 6759 d7536d 6750->6759 6804 d75367 call d771c1 6750->6804 6751->6759 6753->6571 6754->6571 6755->6593 6759->6418 6804->6759
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-1774593142
                                  • Opcode ID: 3ef3aa16b0c5fe1acf4a7401a02618b38a4147a613b7756635ae86572775bbbe
                                  • Instruction ID: 8836d9bade58c07b128d60120d7085fdcd51e3865acb47c89c5b6b3d1e2577ad
                                  • Opcode Fuzzy Hash: 3ef3aa16b0c5fe1acf4a7401a02618b38a4147a613b7756635ae86572775bbbe
                                  • Instruction Fuzzy Hash: A5D23A74A06228CFDB65EF34D954BA9B7B2FB48304F1081EAD80A67794DB319E85CF50
                                  Function 00D75000 Relevance: 6.2, Strings: 4, Instructions: 1230COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 6805 d75000-d75059 6812 d750a2-d750b6 6805->6812 6813 d7505b 6805->6813 6814 d7512d-d75141 6812->6814 6815 d750b8-d750e1 6812->6815 6813->6812 6816 d75147-d75363 6814->6816 6817 d753b4-d753c8 6814->6817 6815->6814 7149 d75367 6816->7149 7150 d75365 6816->7150 6818 d7549e-d754b2 6817->6818 6819 d753ce-d75457 6817->6819 6821 d7566f-d75683 6818->6821 6822 d754b8-d75628 6818->6822 6819->6818 6826 d757e6-d757fa 6821->6826 6827 d75689-d7579f 6821->6827 6822->6821 6829 d75800-d75916 6826->6829 6830 d7595d-d75971 6826->6830 6827->6826 6829->6830 6832 d75977-d75a8d 6830->6832 6833 d75ad4-d75ae8 6830->6833 6832->6833 6837 d75aee-d75c04 6833->6837 6838 d75c4b-d75c5f 6833->6838 6837->6838 6844 d75c65-d75d7b 6838->6844 6845 d75dc2-d75dd6 6838->6845 6844->6845 6851 d75ddc-d75ef2 6845->6851 6852 d75f39-d75f4d 6845->6852 6851->6852 6854 d75f53-d76069 6852->6854 6855 d760b0-d760c4 6852->6855 6854->6855 6861 d76227-d7623b 6855->6861 6862 d760ca-d761e0 6855->6862 6868 d76241-d76357 6861->6868 6869 d7639e-d763b2 6861->6869 6862->6861 6868->6869 6875 d76536-d7654a 6869->6875 6876 d763b8-d763fd call d74278 6869->6876 6887 d76550-d7656f 6875->6887 6888 d7668d-d766a1 6875->6888 6992 d764bd-d764df 6876->6992 6918 d76614-d76636 6887->6918 6891 d766a7-d767a7 6888->6891 6892 d767ee-d76802 6888->6892 6891->6892 6903 d7694f-d76963 6892->6903 6904 d76808-d76908 6892->6904 6912 d76ab0-d76ada 6903->6912 6913 d76969-d76a69 6903->6913 6904->6903 6929 d76ae0-d76b53 6912->6929 6930 d76b9a-d76bae 6912->6930 6913->6912 6919 d76574-d76583 6918->6919 6920 d7663c 6918->6920 6933 d7663e 6919->6933 6934 d76589-d765bc 6919->6934 6920->6888 6929->6930 6943 d76bb4-d76c0b 6930->6943 6944 d76c8b-d76c9f 6930->6944 6951 d76643-d7668b 6933->6951 7019 d76603-d7660c 6934->7019 7020 d765be-d765f8 6934->7020 7067 d76c12-d76c44 6943->7067 6949 d76de5-d76df9 6944->6949 6950 d76ca5-d76d9e 6944->6950 6969 d76dff-d76e4f 6949->6969 6970 d7705c-d77070 6949->6970 6950->6949 6951->6888 7073 d76e51-d76e77 6969->7073 7074 d76ebd-d76ee8 6969->7074 6984 d77076-d77111 call d74278 * 2 6970->6984 6985 d77158-d7715f 6970->6985 6984->6985 7008 d764e5 6992->7008 7009 d76402-d76411 6992->7009 7008->6875 7016 d764e7 7009->7016 7017 d76417-d764b5 7009->7017 7037 d764ec-d76534 7016->7037 7017->7037 7154 d764b7 7017->7154 7019->6951 7024 d7660e 7019->7024 7020->7019 7024->6918 7037->6875 7067->6944 7147 d76e79-d76e99 7073->7147 7148 d76eb8 7073->7148 7152 d76fc6-d77057 7074->7152 7153 d76eee-d76fc1 7074->7153 7147->7148 7148->6970 7158 d7536d 7149->7158 7203 d75367 call d771c1 7149->7203 7150->7158 7152->6970 7153->6970 7154->6992 7158->6817 7203->7158
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-1774593142
                                  • Opcode ID: 689fec55add43ea59021484b888f9dd938484ff50ddd8da8397b674a8f32e860
                                  • Instruction ID: 17973e455937a9b4e75d651452b63d28f2cadef76d3393c83029f1968c396b76
                                  • Opcode Fuzzy Hash: 689fec55add43ea59021484b888f9dd938484ff50ddd8da8397b674a8f32e860
                                  • Instruction Fuzzy Hash: 47D23A74A06228CFDB65EF34D954BA9B7B2FB48304F1081EAD80A67794DB319E85CF50
                                  Function 00D7505D Relevance: 6.2, Strings: 4, Instructions: 1225COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-1774593142
                                  • Opcode ID: a5945f9ef40fd847a6671bb068588cd3f138a1b4d3eb526b3e30ab0f2e169f91
                                  • Instruction ID: 86975bc64520ca021a8ab39fb5a882ec0d807b58e68fa4ecc7ef12b4afb51e83
                                  • Opcode Fuzzy Hash: a5945f9ef40fd847a6671bb068588cd3f138a1b4d3eb526b3e30ab0f2e169f91
                                  • Instruction Fuzzy Hash: 55D24A74A02228CFDB65EF34D954BA9B7B2FB48304F1081EAD80A67794DB319E85CF50
                                  Function 00D750E3 Relevance: 6.2, Strings: 4, Instructions: 1210COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-1774593142
                                  • Opcode ID: f9f7d202c61abc919c6c547b8c4876d2782f327241e3ff9958aa5989fb35b82f
                                  • Instruction ID: 4d0724114ebe26b3b05c0736db842895c9f7d8e70c4d498cf7208b01e169c6c6
                                  • Opcode Fuzzy Hash: f9f7d202c61abc919c6c547b8c4876d2782f327241e3ff9958aa5989fb35b82f
                                  • Instruction Fuzzy Hash: 71D23A74A02228CFDB65EF34D954BA9B7B2FB48304F1081EAD80A67794DB319E95CF50
                                  Function 00D7536F Relevance: 6.1, Strings: 4, Instructions: 1071COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l$\OYl$2Yl
                                  • API String ID: 0-1774593142
                                  • Opcode ID: 14916180fe5ea7e04ed54af1ef6c3446a97a6bb3cc7a335a540c11f61277e466
                                  • Instruction ID: 97fc1f6d3f668c4e550ef5497f77a0b0d2417d8383d95a94a6c4e6149af1ea75
                                  • Opcode Fuzzy Hash: 14916180fe5ea7e04ed54af1ef6c3446a97a6bb3cc7a335a540c11f61277e466
                                  • Instruction Fuzzy Hash: B1C24C74A02228CFDB65EF24DD54BA9B7B2FB48304F1081EAD40A6B794DB319E95CF50
                                  Function 00D75459 Relevance: 4.8, Strings: 3, Instructions: 1040COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l$\OYl
                                  • API String ID: 0-3268719163
                                  • Opcode ID: b0c4673da204da7ea781c6f2c3b161368210ad55e59de6665df844d362d10c72
                                  • Instruction ID: d5eeb8715f696340581e26c89cf716192966d8b76b13abe231d3a77fa3cf6139
                                  • Opcode Fuzzy Hash: b0c4673da204da7ea781c6f2c3b161368210ad55e59de6665df844d362d10c72
                                  • Instruction Fuzzy Hash: 0AC23C74A02228CFDB65EF24DD54BA9B7B2FB48304F1081EAD40A6B794DB319E95CF50
                                  Function 00D78CE8 Relevance: 2.1, Strings: 1, Instructions: 805COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l
                                  • API String ID: 0-1731998491
                                  • Opcode ID: e96083d81132ffbef4991b2e5731cf678e519c4163d91e4938261c8ebfb4959b
                                  • Instruction ID: 377fce8b487c131ce11504cde621d137ec91453123b320c8b888a041e09e63f7
                                  • Opcode Fuzzy Hash: e96083d81132ffbef4991b2e5731cf678e519c4163d91e4938261c8ebfb4959b
                                  • Instruction Fuzzy Hash: 13520132A012119BCB18EB75E46066DB3B2FF88344755C02AE45A9B394EF35ED52DBA0
                                  Function 0092BA83 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0092BB03
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: 8d33ed9da95ffefe406fd163e4000cb385491daa1a7d5c0aa27b3ef0cf762545
                                  • Instruction ID: 7fb037f92399c7e7ca4505526829326388aea43eb6add64e048b4bb4466b6dde
                                  • Opcode Fuzzy Hash: 8d33ed9da95ffefe406fd163e4000cb385491daa1a7d5c0aa27b3ef0cf762545
                                  • Instruction Fuzzy Hash: C5219F75509780AFDB228F25DC44B52BFF8EF06310F0985DAE9858B563D371D908DB62
                                  Function 0092BC05 Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtQuerySystemInformation.NTDLL ref: 0092BC71
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: InformationQuerySystem
                                  • String ID:
                                  • API String ID: 3562636166-0
                                  • Opcode ID: 1a01f404fb40b69b9036f6acee4b8d87520661e99bcb9c438b72560c909781ad
                                  • Instruction ID: 6e9009e3f0de67461d305bc883f2106a15a3685be78f3cfb38639100aecfafb7
                                  • Opcode Fuzzy Hash: 1a01f404fb40b69b9036f6acee4b8d87520661e99bcb9c438b72560c909781ad
                                  • Instruction Fuzzy Hash: 161190714097C09FDB22CF15DC45A92FFF4EF07324F0984DAE9844B263D265A918DB62
                                  Function 0092BABA Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0092BB03
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: AdjustPrivilegesToken
                                  • String ID:
                                  • API String ID: 2874748243-0
                                  • Opcode ID: 0a37e06049ce94cde189b7afe27d9fca3d4574fe36788f0a56e788f066e9aea5
                                  • Instruction ID: 200f698ce181868aed4dcc0d53b2b4da5bdbd8b4e393d438f872e4f7feb4f137
                                  • Opcode Fuzzy Hash: 0a37e06049ce94cde189b7afe27d9fca3d4574fe36788f0a56e788f066e9aea5
                                  • Instruction Fuzzy Hash: 3611A0315007009FDB20CF55E944B52FBE8EF04320F08C4AADD458B656D375E818DF61
                                  Function 0092BC36 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtQuerySystemInformation.NTDLL ref: 0092BC71
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: InformationQuerySystem
                                  • String ID:
                                  • API String ID: 3562636166-0
                                  • Opcode ID: 5db8459cf3d74b73c560c8fc38b0f8d1024ba84c8c3897b99dc633507070741a
                                  • Instruction ID: 534472ab3c32e19f8b48a171c3c18dab128622b8ab5f7b7119410217485ad9a0
                                  • Opcode Fuzzy Hash: 5db8459cf3d74b73c560c8fc38b0f8d1024ba84c8c3897b99dc633507070741a
                                  • Instruction Fuzzy Hash: F0018F31500A449FEB20CF49E984B61FBE4EF45720F18C49ADD890A655D375E818DFA2
                                  Function 00D700B8 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 2Yl$2Yl$5]Xl^$E]Xl^
                                  • API String ID: 0-4174921172
                                  • Opcode ID: 260300c37047ae016b2ce9620b97d272db944bb06242084bfac2b00ce4fa02e9
                                  • Instruction ID: fcdef9a0de9830e87ccb0374515587c19fadf2a7b5e8cdd17506edad3d6b0de6
                                  • Opcode Fuzzy Hash: 260300c37047ae016b2ce9620b97d272db944bb06242084bfac2b00ce4fa02e9
                                  • Instruction Fuzzy Hash: 8B31E4317083909FCB19E7749C51BAE3BA79BC2308F04856ED005CF792DB769C0A87A2
                                  Function 00D70118 Relevance: 5.1, Strings: 4, Instructions: 61COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 2Yl$2Yl$5]Xl^$E]Xl^
                                  • API String ID: 0-4174921172
                                  • Opcode ID: 1ca9430083aace28fda22ca15174dd837acc26098f142a0074960e09c1294bea
                                  • Instruction ID: 9ff84c890ab08b96caa456c84513806f354aacaf1467cf43f782c85a5e972bf0
                                  • Opcode Fuzzy Hash: 1ca9430083aace28fda22ca15174dd837acc26098f142a0074960e09c1294bea
                                  • Instruction Fuzzy Hash: F311023170C2908FC72AA7B868516ED2BA78BC6308314556FD006CF786CF769C0D87A3
                                  Function 00D776C0 Relevance: 3.7, Strings: 2, Instructions: 1242COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l
                                  • API String ID: 0-1182302870
                                  • Opcode ID: 6427b9073f828360aefa421474d39f1c0217f8d829be00eee027b35fbf2ad309
                                  • Instruction ID: aaeb37194322bd2f07a61bee30babdac084c16f73ba59300658ab6160e67a74a
                                  • Opcode Fuzzy Hash: 6427b9073f828360aefa421474d39f1c0217f8d829be00eee027b35fbf2ad309
                                  • Instruction Fuzzy Hash: 7BC2AB34B05164DBDB15AB35E9007B97BF2EB4C309F24C0AB985A93784DB348D5AEF21
                                  Function 00D7773C Relevance: 3.6, Strings: 2, Instructions: 1079COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l
                                  • API String ID: 0-1182302870
                                  • Opcode ID: 77ff7c579df779ee4ca6cb7a080cbdbd61e180807bd7fa76c11b1cef00bcee8c
                                  • Instruction ID: 6672ba6d03c07cfc25899016fc56a3bc14787728d93baac0a54be393b292e176
                                  • Opcode Fuzzy Hash: 77ff7c579df779ee4ca6cb7a080cbdbd61e180807bd7fa76c11b1cef00bcee8c
                                  • Instruction Fuzzy Hash: 0192AC347041609BDF056B35E9107B97BF6EB88309F24C06B945AA3B94DF348D5AEF22
                                  Function 00D77776 Relevance: 3.6, Strings: 2, Instructions: 1076COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l
                                  • API String ID: 0-1182302870
                                  • Opcode ID: 011b262ef0cddbcc5503c78821ca81716859d497b7fc2d9639dbc36fc6f90e37
                                  • Instruction ID: 0d7586bf78988eb4afe3b6c62d44048c751f92905aa2784e65fe1008e0b3fc14
                                  • Opcode Fuzzy Hash: 011b262ef0cddbcc5503c78821ca81716859d497b7fc2d9639dbc36fc6f90e37
                                  • Instruction Fuzzy Hash: DE92BC347041609BDF056B35E9107B97BF6EB88309F24C06B945AA3B94DF348D5AEF22
                                  Function 00D777A5 Relevance: 3.6, Strings: 2, Instructions: 1075COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$:@2l
                                  • API String ID: 0-1182302870
                                  • Opcode ID: a039c66bc9ee1ee3f3b5e8ae77aa84fe24f07309c3a661ae707ab42984b70e61
                                  • Instruction ID: f06b51d72404cbb7a4a55e514b7011354052ef1e69769fc29d29b8a3c8742120
                                  • Opcode Fuzzy Hash: a039c66bc9ee1ee3f3b5e8ae77aa84fe24f07309c3a661ae707ab42984b70e61
                                  • Instruction Fuzzy Hash: 4192BC347041609BDF056B35E9107B97BF6EB88309F24C06B945AA3B94DF348D5AEF22
                                  Function 0092A140 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID: X<l
                                  • API String ID: 2809346765-1623157627
                                  • Opcode ID: 9925057fb99fe60a4b871eaa5df33aecdbe0e5a756644a68c0ae2bf246cd0157
                                  • Instruction ID: 2c5516be6bea9bd5004843b530b8b70c269379aa1e1ed8283806d0cef1a98af3
                                  • Opcode Fuzzy Hash: 9925057fb99fe60a4b871eaa5df33aecdbe0e5a756644a68c0ae2bf246cd0157
                                  • Instruction Fuzzy Hash: A9216D7140D7C09FD7238B219C94A52BFB4EF07220F0985DBD9848F5A3D269A819DB72
                                  Function 0092A186 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: send
                                  • String ID: X<l
                                  • API String ID: 2809346765-1623157627
                                  • Opcode ID: dde1763a153e7944f9cbf4a3a9475feb7f2862244b2a0f8106c6cc9389feb86e
                                  • Instruction ID: 4c8ecc6a10aafb0d16ca2fc2bff3ca10d6a9d3ab49121723366ce61fdfaf7c9b
                                  • Opcode Fuzzy Hash: dde1763a153e7944f9cbf4a3a9475feb7f2862244b2a0f8106c6cc9389feb86e
                                  • Instruction Fuzzy Hash: B301B1328047409FDB20CF55E944B52FBE4EF04320F18C8AADD498B656C375E468DFA2
                                  Function 00D7562A Relevance: 3.5, Strings: 2, Instructions: 963COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 916e36cfa9aca418e3d616c386de6d089893e4faa89a8a2d601c631bdb0d39d6
                                  • Instruction ID: 6af3262a497cbaab4954d0269a428d02c03605bedcd3e940407d02d6e765ed8c
                                  • Opcode Fuzzy Hash: 916e36cfa9aca418e3d616c386de6d089893e4faa89a8a2d601c631bdb0d39d6
                                  • Instruction Fuzzy Hash: 03B23C74A02228CFDB65EF24DD54BA9B7B2FB48304F1081EAD40A6B794DB319E95CF50
                                  Function 00D757A1 Relevance: 3.4, Strings: 2, Instructions: 906COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 1a958194d095b0581364d81a6aaa74dd3a9d5487f04554775f811496fcbbd808
                                  • Instruction ID: 89a77d8385fa2bb93dc558685f5bbdee92656868f0737d06fb8dfa48f7eb55c4
                                  • Opcode Fuzzy Hash: 1a958194d095b0581364d81a6aaa74dd3a9d5487f04554775f811496fcbbd808
                                  • Instruction Fuzzy Hash: 7CA22C74A02228CFDB65EF24DD54BA9B7B2FB48304F1081EAD40A6B794DB319E95CF50
                                  Function 00D75918 Relevance: 3.3, Strings: 2, Instructions: 849COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 35b0bbfdefaa2639ed25879862233903c2e42490a463e91cb29beb9f56a6f29c
                                  • Instruction ID: cfa1b0270d58e4f3f581f275d23ec666e410f8e657dbe0f665f4d1662438595b
                                  • Opcode Fuzzy Hash: 35b0bbfdefaa2639ed25879862233903c2e42490a463e91cb29beb9f56a6f29c
                                  • Instruction Fuzzy Hash: B8922D74A02228CFDB65EF24DD54BA9B7B2FB48304F1081EAD40A6B794DB319E95CF50
                                  Function 00D75A8F Relevance: 3.3, Strings: 2, Instructions: 792COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 53ff72f11dabbd300c9b9f191b6da801a837df30c5c5fe903cb36ede1cdf650c
                                  • Instruction ID: b28fdbc1983bbd01f8f2fab2fd60314a4b967e937721aa696f778dd631a29a08
                                  • Opcode Fuzzy Hash: 53ff72f11dabbd300c9b9f191b6da801a837df30c5c5fe903cb36ede1cdf650c
                                  • Instruction Fuzzy Hash: 02922C74A02228CFDB65EF24DD54BA9B7B2FB48304F1081EAD40A6B794DB319E95CF50
                                  Function 00D75C06 Relevance: 3.2, Strings: 2, Instructions: 735COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 96f718c7b605f0ef5731a37576a38da743b2f6fb4617990660903784b61420f1
                                  • Instruction ID: 11d57e3ab865544b1db9fce6688fd265a99268551a5abcbc877edc8ebf792ede
                                  • Opcode Fuzzy Hash: 96f718c7b605f0ef5731a37576a38da743b2f6fb4617990660903784b61420f1
                                  • Instruction Fuzzy Hash: 3A822D74A02228CFDB65EF24DD54BA9B7B2FB48304F1081EAD80A67794DB319E95CF50
                                  Function 00D75D7D Relevance: 3.2, Strings: 2, Instructions: 678COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 4821daeaa88e074f72b8ae2ab0f9b39703b1699f5bf983ee7bee672d96fa3f0b
                                  • Instruction ID: 4f4967935a4f36e62353f51fd0b2bef160138f9f193df67875bacbf73d8fe4d8
                                  • Opcode Fuzzy Hash: 4821daeaa88e074f72b8ae2ab0f9b39703b1699f5bf983ee7bee672d96fa3f0b
                                  • Instruction Fuzzy Hash: 9A721D74A02228CFDB65EF24DD54BA9B7B2FB48304F1081EAD80A67794DB319E95CF50
                                  Function 00D75EF4 Relevance: 3.1, Strings: 2, Instructions: 621COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: cb1c06465aebaef7898b7fa04769cb422a83fe9d400cd93ec49817dfc3b6684e
                                  • Instruction ID: e9eb5da96bfdb0d16399ef723c80f274fa95777ec72710c6ba3d7f4a1a4ee7fb
                                  • Opcode Fuzzy Hash: cb1c06465aebaef7898b7fa04769cb422a83fe9d400cd93ec49817dfc3b6684e
                                  • Instruction Fuzzy Hash: EA622E74A01228CFDB65EF24D954BA8B7B2FB49304F1081EAD80AA7794DB319E95CF50
                                  Function 00D7606B Relevance: 3.1, Strings: 2, Instructions: 564COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 930c3eba81d8dc68e328b91cce79170cd2fd021111d3f52597f5a865b11a3e64
                                  • Instruction ID: 4d5d0c647eabf68a64edf8ca07a228c3416c7bf61d8507f9791a1f8371dc8f1b
                                  • Opcode Fuzzy Hash: 930c3eba81d8dc68e328b91cce79170cd2fd021111d3f52597f5a865b11a3e64
                                  • Instruction Fuzzy Hash: 32522F74A05228CFDB65EF34D954BA8B7B6FB49304F1081EAD80AA7394DB319E95CF40
                                  Function 00D737E1 Relevance: 3.0, Strings: 2, Instructions: 514COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: \OYl$2Yl
                                  • API String ID: 0-2262476593
                                  • Opcode ID: fdf994dda9b7dd74cced46b5f4ae5accd0e294e634d55bf043709dfe63fe0011
                                  • Instruction ID: a7c2260bc697080e748b061b28b4c8e22338609b6f4bca1fc3eac96d0b06b572
                                  • Opcode Fuzzy Hash: fdf994dda9b7dd74cced46b5f4ae5accd0e294e634d55bf043709dfe63fe0011
                                  • Instruction Fuzzy Hash: E1322830A01218CFDB18EF74D954BEDB7B2EB49308F1045AAD40AAB794DB359E86CF50
                                  Function 00D761E2 Relevance: 3.0, Strings: 2, Instructions: 507COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 0c50a5a378814b629b05826d6cdd49c2705bbe523ca3ec097f840ed650f093f0
                                  • Instruction ID: 9716d471729ce08dfee3850cceab5a29a5291d2f386e177067bab024eeed7462
                                  • Opcode Fuzzy Hash: 0c50a5a378814b629b05826d6cdd49c2705bbe523ca3ec097f840ed650f093f0
                                  • Instruction Fuzzy Hash: 0B422E74A05228CFDB65EF34D954BA8B7B6FB49304F1081EAD80AA7394DB319E95CF40
                                  Function 00D76359 Relevance: 3.0, Strings: 2, Instructions: 450COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: ca12642befed309396fe89cd74772f77565fde782920d637011cc1f01972c6c5
                                  • Instruction ID: 76ec8f2a695cc572121a66c9032edc11a5c0966ed25159d11133f647a03f9c16
                                  • Opcode Fuzzy Hash: ca12642befed309396fe89cd74772f77565fde782920d637011cc1f01972c6c5
                                  • Instruction Fuzzy Hash: 48321C74A05228CFDB65EF34D954BA8B7B6FB49304F1081EAD80AA7394DB319E95CF40
                                  Function 00D76483 Relevance: 2.9, Strings: 2, Instructions: 427COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 9f6b458217154101a09aedf5a8f37ffac1baa1da568089db34f52100a70d89ac
                                  • Instruction ID: 4a3634ad5d2acebabec757a1fa95bb0bc26cdfe5e6e53cbae747292f244eae41
                                  • Opcode Fuzzy Hash: 9f6b458217154101a09aedf5a8f37ffac1baa1da568089db34f52100a70d89ac
                                  • Instruction Fuzzy Hash: 58221D74A05228CFDB65EF34D954BA8B7B6FB49304F1081EAD80AA7394DB319E95CF40
                                  Function 00D767A9 Relevance: 2.8, Strings: 2, Instructions: 343COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 1df991d502b25165866ff6759544dbb60b2d744bb6cebb600302f266e4235327
                                  • Instruction ID: 341edf682cc0ecc3150ee7f0b3de5521fc75c586a4870ca9ba2339479d322609
                                  • Opcode Fuzzy Hash: 1df991d502b25165866ff6759544dbb60b2d744bb6cebb600302f266e4235327
                                  • Instruction Fuzzy Hash: 38021B74A01228CFDB65EF34D954BA9B7B2FB49304F1081EAD90AA7794DB319E91CF40
                                  Function 00D7690A Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: 6dfbcf29882977a5ffe8c3f2bfdc546a6507ad605e1536c10285d5ded4c3fb24
                                  • Instruction ID: bb75b881e897160eba09d4b1835a45013b188b4f1b12ea6eddf0d6702b7893d0
                                  • Opcode Fuzzy Hash: 6dfbcf29882977a5ffe8c3f2bfdc546a6507ad605e1536c10285d5ded4c3fb24
                                  • Instruction Fuzzy Hash: C1D13974A01228CFDB25EF34D990BA9B7B2FB49304F5081EAD50AA7794DB359E81CF50
                                  Function 00D76A6B Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l$\OYl
                                  • API String ID: 0-3579895576
                                  • Opcode ID: c7710f66eb1cf541279cb803746e6726b979c0a3e5033fd036aab2a432a3cdb6
                                  • Instruction ID: 39bdbfe1214922397917e9e58b57bf049d6abbc2fc8e1a0ab96cf5071646170c
                                  • Opcode Fuzzy Hash: c7710f66eb1cf541279cb803746e6726b979c0a3e5033fd036aab2a432a3cdb6
                                  • Instruction Fuzzy Hash: B2B12B70A012288FDB25EB74D950BADB7B2FF88304F5081EAD50AA7794DB359E85CF50
                                  Function 00E124EA Relevance: 1.6, APIs: 1, Instructions: 131registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 00E125E5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 947f2704f53dfacc711b8becdb242a3bd3aa83cd9c4723cf25b90bcfb61ef80c
                                  • Instruction ID: 1b12bfec51697bbbba1c1319f5d92210a4f1377ae40bc7490d3e9ce64e63783d
                                  • Opcode Fuzzy Hash: 947f2704f53dfacc711b8becdb242a3bd3aa83cd9c4723cf25b90bcfb61ef80c
                                  • Instruction Fuzzy Hash: D8418D711093C06FE7238B218C50FA2BFB8EF47614F0945DAE985DB5A3D264E859CB72
                                  Function 00E10AD7 Relevance: 1.6, APIs: 1, Instructions: 98registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00E10B9E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: a05fd3aed4d6c8d2780bf7a0d79d612261fabe17184c71a33a73294961274142
                                  • Instruction ID: 620b94ae200e68464f8c65107349dd144cb8f0ad59e9325ead93aef6adc0cea0
                                  • Opcode Fuzzy Hash: a05fd3aed4d6c8d2780bf7a0d79d612261fabe17184c71a33a73294961274142
                                  • Instruction Fuzzy Hash: 6A319E7110E3C06FD3138B218C61A61BFB4EF47614B1E45CBE8C49F6A3D269A909C7B2
                                  Function 0092B1E6 Relevance: 1.6, APIs: 1, Instructions: 97registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0092B291
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: 2ce45f712bf77c6a57e5a4d964c5bb3f0980c34caf7f2fdae614143dc16160c6
                                  • Instruction ID: a51ca0f29cebf01d19189d599f6318773f5b6b5c4a51e4ef8aa33686c937595c
                                  • Opcode Fuzzy Hash: 2ce45f712bf77c6a57e5a4d964c5bb3f0980c34caf7f2fdae614143dc16160c6
                                  • Instruction Fuzzy Hash: BF319071509394AFD7228B61DC44FA6BFFCEF06210F08849BE9848B693D364E809C771
                                  Function 0092AA75 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0092AB25
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: d52855aceb8464a46f2c5aed96182ae1c330d6a981124f760b29a287d3d71ad5
                                  • Instruction ID: b64e052ffbd935e9be7aa66c3af6dacc7d5e0e18606e6ef5b66101d606fec9df
                                  • Opcode Fuzzy Hash: d52855aceb8464a46f2c5aed96182ae1c330d6a981124f760b29a287d3d71ad5
                                  • Instruction Fuzzy Hash: 7A318171505380AFE721CF65DC85F96BBF8EF05314F08849EE9858B652D365E808CB61
                                  Function 0092B036 Relevance: 1.6, APIs: 1, Instructions: 89synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexW.KERNELBASE(?,?), ref: 0092B0DD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: e4f5382ae58d482a2b6fa398054167b654e77656ba8b01336c4bebebf5bc1211
                                  • Instruction ID: ce244046363e2a0c17c5b4065041107999fe0129f3a83727a81b5ee0cf78b63a
                                  • Opcode Fuzzy Hash: e4f5382ae58d482a2b6fa398054167b654e77656ba8b01336c4bebebf5bc1211
                                  • Instruction Fuzzy Hash: EE31A1B15093806FE712CB25DC95B96BFF8EF06314F08849AE9848F292D365E908C762
                                  Function 0092B2D9 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 0092B394
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 6c84ae65ebdadc9758cbbe006d07794d404c0a86a9cd084a1b6aef58a9482f69
                                  • Instruction ID: c43a23ce2a4f366f5ae11e0af7a49dcf522aae5ed33e2c9168aae6cb6fc570c8
                                  • Opcode Fuzzy Hash: 6c84ae65ebdadc9758cbbe006d07794d404c0a86a9cd084a1b6aef58a9482f69
                                  • Instruction Fuzzy Hash: 9C3193765057846FD722CB61DC44F92BFFCEF46314F08849AE9858B293D364E948CBA1
                                  Function 00E10FF0 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 00E11087
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: DescriptorSecurity$ConvertString
                                  • String ID:
                                  • API String ID: 3907675253-0
                                  • Opcode ID: ddc66b035d5d88152c5406b71f67f1962d0dbb7a4ce07de99490617513e5b1be
                                  • Instruction ID: 17498b075882bfc39cec041806d94fce5c05bae3ea8d4322908d61a740bffa8f
                                  • Opcode Fuzzy Hash: ddc66b035d5d88152c5406b71f67f1962d0dbb7a4ce07de99490617513e5b1be
                                  • Instruction Fuzzy Hash: D231C372504384AFEB21CB65DC45FA7BFF8EF05314F08849AE984DB652D364E948CB61
                                  Function 00E1254A Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCreateKeyExW.KERNELBASE(?,00000E24), ref: 00E125E5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 83f9fb5bcaac5dcdf2ce4c96e7d4d1c37a0939883674a4fea9097389fefd5659
                                  • Instruction ID: 6961d7476413524995dbcaf9083f6547f5f9516b66c5d2b56c1eb8618dd8787f
                                  • Opcode Fuzzy Hash: 83f9fb5bcaac5dcdf2ce4c96e7d4d1c37a0939883674a4fea9097389fefd5659
                                  • Instruction Fuzzy Hash: E7218D72600704AFEB219E55CC84FA7FBECEF08714F14845EEA45D7651D720E9588AB2
                                  Function 0092A6CE Relevance: 1.6, APIs: 1, Instructions: 85comclipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0092A779
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Clipboard
                                  • String ID:
                                  • API String ID: 220874293-0
                                  • Opcode ID: 889db6653cdad3071605a7c006a1c350f472a2c0f41f56f0a3dd85a328a14f13
                                  • Instruction ID: 6cfb4ef12f1d01dd6127596f723ef3e4ce972c10781ed36e82dc184fd4f4880b
                                  • Opcode Fuzzy Hash: 889db6653cdad3071605a7c006a1c350f472a2c0f41f56f0a3dd85a328a14f13
                                  • Instruction Fuzzy Hash: A931717104D3C06FD3138B259C61BA1BFB4EF47614F1A40CBE884CB6A3D2256919D7B2
                                  Function 00E1288C Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetExitCodeProcess.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E12920
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CodeExitProcess
                                  • String ID:
                                  • API String ID: 3861947596-0
                                  • Opcode ID: 14d2d8da09e250ca174ec53a44e75357d743fc7eb531277552de171050705328
                                  • Instruction ID: 92d8fabfa25faf5dde2c4b468aca522d38c9455be85d692b6edc361c9f007e77
                                  • Opcode Fuzzy Hash: 14d2d8da09e250ca174ec53a44e75357d743fc7eb531277552de171050705328
                                  • Instruction Fuzzy Hash: B721F6715093806FE712CB20CC54B96BFB8AF42324F0884DBE9889F293D264A949C7B1
                                  Function 00E11700 Relevance: 1.6, APIs: 1, Instructions: 83timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessTimes.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E11791
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: ProcessTimes
                                  • String ID:
                                  • API String ID: 1995159646-0
                                  • Opcode ID: 517f0d02d12d5b0fc53f420bd31a7f54691df47e6d581a329c20b8da86f43cdf
                                  • Instruction ID: 27ce6f51e585921096f2f7b6b2f0b268addc53c4982ba4868ea15cac0822def4
                                  • Opcode Fuzzy Hash: 517f0d02d12d5b0fc53f420bd31a7f54691df47e6d581a329c20b8da86f43cdf
                                  • Instruction Fuzzy Hash: B321D6715093806FDB228F21CD44F96BFB8EF46314F0884DBE9849F292D365A948CBB1
                                  Function 0092B4C8 Relevance: 1.6, APIs: 1, Instructions: 82windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 0092B571
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: MessageSendTimeout
                                  • String ID:
                                  • API String ID: 1599653421-0
                                  • Opcode ID: 012e0393fcd1c4f6d3c6e8551bd3a98017b083cb7a179ffba653134f66302176
                                  • Instruction ID: 9e894d71190fa1ebd2c799e7c2021196334cfd5613e1fac74654f3dd3b953e2d
                                  • Opcode Fuzzy Hash: 012e0393fcd1c4f6d3c6e8551bd3a98017b083cb7a179ffba653134f66302176
                                  • Instruction Fuzzy Hash: 1521F671104740AFEB228F11DC44FA2FFB8EF46310F18849AF9845F6A2D375A509CB61
                                  Function 00E127BD Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: select
                                  • String ID:
                                  • API String ID: 1274211008-0
                                  • Opcode ID: 53be1ad8d97d2dcf3f87ca6355667402203ad1a34c8d9ba7163bcdbbcb67046f
                                  • Instruction ID: 77627018c446001b40344cad9a5208604abfbdb2322f14b035fa2ca902ead4ef
                                  • Opcode Fuzzy Hash: 53be1ad8d97d2dcf3f87ca6355667402203ad1a34c8d9ba7163bcdbbcb67046f
                                  • Instruction Fuzzy Hash: 34217C715093849FEB22CF25DC44B92BFF8EF06314F0984DAE984DB262D324E959DB61
                                  Function 0092AE77 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 0092AF0D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 7446c30ca8a1fad9f7d033acffaea6c647e0854d772967ff7c4b4c661b168653
                                  • Instruction ID: 4d79a4840bfc69a81fdfcf8596fdc6604e96904e25621ec00a986c74f6bc2bae
                                  • Opcode Fuzzy Hash: 7446c30ca8a1fad9f7d033acffaea6c647e0854d772967ff7c4b4c661b168653
                                  • Instruction Fuzzy Hash: D921B7B2409380AFD722CF51DD44F96BFB8EF46314F0984DAE9849F162D365A509CBB1
                                  Function 0092B3EA Relevance: 1.6, APIs: 1, Instructions: 77registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegSetValueExW.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 0092B480
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: 305e3ef7e86f0fdaf94ef10292bc2caeb68ee2494961639aa8e9ca651b25f442
                                  • Instruction ID: c8c4d3e12723dbfae8d2e263cf325a316e7d5e0bc54630e4b0f70f16b97645fc
                                  • Opcode Fuzzy Hash: 305e3ef7e86f0fdaf94ef10292bc2caeb68ee2494961639aa8e9ca651b25f442
                                  • Instruction Fuzzy Hash: D9217F765047946FD7228B11DC84BA2BBBCDF46314F08849AE9858B262D364E848C7B1
                                  Function 00E10BCA Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 00E10C56
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Socket
                                  • String ID:
                                  • API String ID: 38366605-0
                                  • Opcode ID: 08c86db9b017408453b2f4ec572188f4181c02c57b79677e5bc741a5036fcc50
                                  • Instruction ID: 1f39cb53cbf2a8d5f5d24d6f19c5a20bdb11cbfc617198e614eb139eea6936e5
                                  • Opcode Fuzzy Hash: 08c86db9b017408453b2f4ec572188f4181c02c57b79677e5bc741a5036fcc50
                                  • Instruction Fuzzy Hash: 9E21A071405380AFE721CF51CC45F96FFB8EF45324F08889EE9858B692D375A848CBA1
                                  Function 00E111A6 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: FileView
                                  • String ID:
                                  • API String ID: 3314676101-0
                                  • Opcode ID: f4da2eecbcbeaca5e62868a262d8ff9c2a5c877f3152118366ba67b6d8d25666
                                  • Instruction ID: 1d9d24d324e814d989bab3bb68966cea92d7b14d954112d7e9cad787d5c0c7d6
                                  • Opcode Fuzzy Hash: f4da2eecbcbeaca5e62868a262d8ff9c2a5c877f3152118366ba67b6d8d25666
                                  • Instruction Fuzzy Hash: CC21BF71405384AFE722CF55CC44F96FBF8EF09224F04849EE9888B252D375E948CBA1
                                  Function 0092AAA6 Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 0092AB25
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: 7832e3d705a290adcb79be46be6cb2ca7755c4e4481e58e62de7e48a63287058
                                  • Instruction ID: 9322b5c68e1419c78b07e586d303d0b5149bad3a9aeef354f3cc7791893cd431
                                  • Opcode Fuzzy Hash: 7832e3d705a290adcb79be46be6cb2ca7755c4e4481e58e62de7e48a63287058
                                  • Instruction Fuzzy Hash: 3E217C72500640AFEB21CF65DD45BA6FBE8EF08724F14886AE9498B651D375E808CB62
                                  Function 00E10EFE Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E10F9C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 32564687a09ab7cde3124e3c75b4f22a46033e71103d7fadf1fb5c16c22d0766
                                  • Instruction ID: a9cd6273fc7bb8b233db7b7aa74946d94d6ad9d9eb691ae0631353c4ae5667b3
                                  • Opcode Fuzzy Hash: 32564687a09ab7cde3124e3c75b4f22a46033e71103d7fadf1fb5c16c22d0766
                                  • Instruction Fuzzy Hash: D321D172505740AFE722CB11CC45F93BBF8AF49314F08849AE9459B692D364E848CBB1
                                  Function 00E11016 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E24), ref: 00E11087
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: DescriptorSecurity$ConvertString
                                  • String ID:
                                  • API String ID: 3907675253-0
                                  • Opcode ID: 3514b6517c8401d3245cd477745ec0bd984087c4b48d71a854dd179e525cbae1
                                  • Instruction ID: 32693b605c13633c707498a221f4efdb54464db1c862dd83d20a88a48f2f8879
                                  • Opcode Fuzzy Hash: 3514b6517c8401d3245cd477745ec0bd984087c4b48d71a854dd179e525cbae1
                                  • Instruction Fuzzy Hash: 8621D771900244AFEB20DF65DC45FEAFBECEF04714F14845AE944DB641D774E9488AB1
                                  Function 0092B212 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 0092B291
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: d619459e14243471e438d395b04932e485878e2adb73bc0b712c40429aa6e916
                                  • Instruction ID: 87a10cc0e96033ce4447dcbb94d157c3da81011bb32fe652f5c92f5fec4cd150
                                  • Opcode Fuzzy Hash: d619459e14243471e438d395b04932e485878e2adb73bc0b712c40429aa6e916
                                  • Instruction Fuzzy Hash: 7521F072500314EEEB20DF51DC44FABFBFCEF18324F14885AE9458B645D364E9088AB2
                                  Function 0092AC37 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 0092ACBD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: 7ac14424ac4c7cd211622edea8ddde8d5c8e7c21972ef977ecde96f4daef79cd
                                  • Instruction ID: 9411152998d865e29ff9c848b498e4842f2e786533404b281350e3ecec42f240
                                  • Opcode Fuzzy Hash: 7ac14424ac4c7cd211622edea8ddde8d5c8e7c21972ef977ecde96f4daef79cd
                                  • Instruction Fuzzy Hash: B221C6B54097806FE7128B11DC40BE2BFB8DF46314F1880DAE9848B293D264A909C772
                                  Function 0092A9BF Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(?), ref: 0092AA44
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 44b9c29e286cfb01c13c61277cc07a289f1e4b88e204764fe455653e0d9624dd
                                  • Instruction ID: d039920158048ec8af7d257b7a68afeb104ac2ef1ba5611687d55b42c4ffab87
                                  • Opcode Fuzzy Hash: 44b9c29e286cfb01c13c61277cc07a289f1e4b88e204764fe455653e0d9624dd
                                  • Instruction Fuzzy Hash: 3C21486540E7C09FDB138B259C64A51BFB4AF57624F0E80DBD9848F6A3C2689C48CB72
                                  Function 00E12983 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E129FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: ProcessSizeWorking
                                  • String ID:
                                  • API String ID: 3584180929-0
                                  • Opcode ID: dfb1bbbe0f67003ea88a1d8a18bb6464b7916c64a05ff167f1d3c3f37f96e870
                                  • Instruction ID: 05b33eec408839610cc51a7401710aedf32dd0f313c8cd767b9c32b545791200
                                  • Opcode Fuzzy Hash: dfb1bbbe0f67003ea88a1d8a18bb6464b7916c64a05ff167f1d3c3f37f96e870
                                  • Instruction Fuzzy Hash: 3C2192715053846FDB21CB11DC45F96BFB8EF46324F0884AAE9449B292D374E948CBA5
                                  Function 00E12A67 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E12AE3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: ProcessSizeWorking
                                  • String ID:
                                  • API String ID: 3584180929-0
                                  • Opcode ID: dfb1bbbe0f67003ea88a1d8a18bb6464b7916c64a05ff167f1d3c3f37f96e870
                                  • Instruction ID: 1f526d03f3417d03281ab2e54605b1f3f07626e64f20a480635a85b9fce5503e
                                  • Opcode Fuzzy Hash: dfb1bbbe0f67003ea88a1d8a18bb6464b7916c64a05ff167f1d3c3f37f96e870
                                  • Instruction Fuzzy Hash: 9321A4715093846FD722CF11DC45FA6BFB8EF46324F0884AEE944DB292D364A948CBB5
                                  Function 0092B06A Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexW.KERNELBASE(?,?), ref: 0092B0DD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CreateMutex
                                  • String ID:
                                  • API String ID: 1964310414-0
                                  • Opcode ID: 344b2265cb5a23a9e195ad0c769fabcecce03a73f7c1c11c082cd2d956395332
                                  • Instruction ID: 20c0ab3ce7071adca9e6d4d79357bd9297094a6df37e55e1f5af95ee30b6942d
                                  • Opcode Fuzzy Hash: 344b2265cb5a23a9e195ad0c769fabcecce03a73f7c1c11c082cd2d956395332
                                  • Instruction Fuzzy Hash: 2221C271500210AFE720DF65DD45BA6FBE8EF04324F14846AED488B745D775E808CBB2
                                  Function 00E1143D Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                  Download Yara Rule
                                  APIs
                                  • shutdown.WS2_32(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E114C0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: shutdown
                                  • String ID:
                                  • API String ID: 2510479042-0
                                  • Opcode ID: 5d887759694e2da50c19b98e04795aa879999b3f7ad30a704f007970316de72e
                                  • Instruction ID: aa871aad85c1a7c3a66d1b64c70ed2de9186e09815eedb3a0a65404f4f064587
                                  • Opcode Fuzzy Hash: 5d887759694e2da50c19b98e04795aa879999b3f7ad30a704f007970316de72e
                                  • Instruction Fuzzy Hash: 162195B14093846FD7128B55CC44B96BFB8EF46324F1884DAE9849F252C368A948C7A2
                                  Function 0092B31A Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 0092B394
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 087eb505348d1aa02f9eef16f8873fadac74c04e2fba89a772825cf5043c984d
                                  • Instruction ID: 8c88849b3999565e0d5cb35d7a58872f32eefce024795578418451fa36dea15e
                                  • Opcode Fuzzy Hash: 087eb505348d1aa02f9eef16f8873fadac74c04e2fba89a772825cf5043c984d
                                  • Instruction Fuzzy Hash: 9721CD72600210AFE720CF51DC80FA6B7ECEF04724F18845AE949CB655D360E808CAB1
                                  Function 00E126F7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • ioctlsocket.WS2_32(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E12773
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: ioctlsocket
                                  • String ID:
                                  • API String ID: 3577187118-0
                                  • Opcode ID: 393827ff91f0284f2f578399682dad32fdb61af4816a758bc98716b13ccda1b9
                                  • Instruction ID: 1c631a1b35e0de59c9e6063510db1781803669a3fdbcffebfddfe4cb8c829af3
                                  • Opcode Fuzzy Hash: 393827ff91f0284f2f578399682dad32fdb61af4816a758bc98716b13ccda1b9
                                  • Instruction Fuzzy Hash: 2021A1714093846FD722CF11CC84F96BFB8EF45324F08849BE9489B292C365A908C7A2
                                  Function 00E11947 Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00E119C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Connect
                                  • String ID:
                                  • API String ID: 3144859779-0
                                  • Opcode ID: 2410e266b932f1e24a6a5388a52fea1a088e512c9283c8c33dc8cef36625647a
                                  • Instruction ID: bbd89a7d0ec5b0e12fa99149dcd64897b9346ed91502662506e2b00c3e14e6ee
                                  • Opcode Fuzzy Hash: 2410e266b932f1e24a6a5388a52fea1a088e512c9283c8c33dc8cef36625647a
                                  • Instruction Fuzzy Hash: B021B071409780AFDB228F61CC84B92BFF4EF46310F0985DAE9858F262D375E849DB61
                                  Function 00E10BEA Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSASocketW.WS2_32(?,?,?,?,?), ref: 00E10C56
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Socket
                                  • String ID:
                                  • API String ID: 38366605-0
                                  • Opcode ID: d9166061a72f166177c14b083ecc3ec6fead23cc714a09d02814a6b885093401
                                  • Instruction ID: 634cce32a9c2ba3117649d9d3a2faf564cf1b530a42fff4262a9c54f8b395688
                                  • Opcode Fuzzy Hash: d9166061a72f166177c14b083ecc3ec6fead23cc714a09d02814a6b885093401
                                  • Instruction Fuzzy Hash: 2B21D171500200AFEB21CF51CD45F96FBE4EF08324F14885EE9859B651D3B1E458CBB2
                                  Function 00E111C6 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: FileView
                                  • String ID:
                                  • API String ID: 3314676101-0
                                  • Opcode ID: 1704d96f1e3d6df76d31039da3d02915f88fd1e53bf0952a13e4449444ffb799
                                  • Instruction ID: e740929a40353d4cfbf890dba419c73b3888e0b5aa1d17f1069b4c402802a2f4
                                  • Opcode Fuzzy Hash: 1704d96f1e3d6df76d31039da3d02915f88fd1e53bf0952a13e4449444ffb799
                                  • Instruction Fuzzy Hash: 2E21DE71500204AFEB21CF55CD44FDAFBE8EF08328F14849DEA898B651D375E848CBA2
                                  Function 0092B4F6 Relevance: 1.6, APIs: 1, Instructions: 66windowtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SendMessageTimeoutA.USER32(?,00000E24), ref: 0092B571
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: MessageSendTimeout
                                  • String ID:
                                  • API String ID: 1599653421-0
                                  • Opcode ID: 62a2a7c3aa1db34778633bfa7fb166a93f5513573facb87be072b5aace3c5919
                                  • Instruction ID: dbf7e4615e48be43f701c5044d2b736af87ff02e20c076162eebe8caa7cdfcd5
                                  • Opcode Fuzzy Hash: 62a2a7c3aa1db34778633bfa7fb166a93f5513573facb87be072b5aace3c5919
                                  • Instruction Fuzzy Hash: 4421CD72500600AFEB218F50DD41FA6FBF8EF44714F14885AFE859A691D375E5188BA2
                                  Function 00E11C06 Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,00000E24), ref: 00E11C8F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: da04069c03dec823ed1e016be8d372b5b0d8bc4ac7c407e206a1296b97d0b690
                                  • Instruction ID: e7e0bb9309ccc0faf67c94df83d2e7be8da37d7e07e55be6afef0e6b28073948
                                  • Opcode Fuzzy Hash: da04069c03dec823ed1e016be8d372b5b0d8bc4ac7c407e206a1296b97d0b690
                                  • Instruction Fuzzy Hash: B011E4715043406FE721CB11DC85FE6FBB8DF45324F18809AF9489B292C364A948CBA6
                                  Function 0092B40E Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegSetValueExW.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 0092B480
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Value
                                  • String ID:
                                  • API String ID: 3702945584-0
                                  • Opcode ID: 7a8ee36a6314f95ba7f9fd6cc4caff0b4e01d990472e003c02966a50d5b0e2b9
                                  • Instruction ID: 0fafc90334b837700b970225a19ba80551cd09d306a7e716a0f2ce5b49c5445a
                                  • Opcode Fuzzy Hash: 7a8ee36a6314f95ba7f9fd6cc4caff0b4e01d990472e003c02966a50d5b0e2b9
                                  • Instruction Fuzzy Hash: CB119076600614AFEB219F11DC80FA7FBECEF44724F14855AED458A766D374E808CAB1
                                  Function 00E10F2A Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E10F9C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 446af90ab6db0cda3deacce561ddf60e6e7ee566b26ec5d4fe277291f3569935
                                  • Instruction ID: 7141b53590d572ffc78606a5d2738c235dfca0a0ef52c35754deb9f4f08e3f7c
                                  • Opcode Fuzzy Hash: 446af90ab6db0cda3deacce561ddf60e6e7ee566b26ec5d4fe277291f3569935
                                  • Instruction Fuzzy Hash: 1611B176600604AFE731CF11CC41FE6F7F8EF48724F18845AE9459B651D360E889CAB2
                                  Function 0092B91A Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0092B982
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 3bc0c97fad133d2202f75c942c496f397b302fd5c0ca2d3ab1e391f48773dc5b
                                  • Instruction ID: 5fa24b466e0410656aaa029cc5971ad1ceddb1c121bbd70cca988fe7f3e9e5e2
                                  • Opcode Fuzzy Hash: 3bc0c97fad133d2202f75c942c496f397b302fd5c0ca2d3ab1e391f48773dc5b
                                  • Instruction Fuzzy Hash: E91190B6604380AFDB21CF25DC84B52BFE8EF46324F0884AAED45DB256D374E844CB61
                                  Function 00E11732 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessTimes.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E11791
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: ProcessTimes
                                  • String ID:
                                  • API String ID: 1995159646-0
                                  • Opcode ID: 8ec832d14047dc2f7f4f89894260ef838363930856035e442cd0ac84451a6782
                                  • Instruction ID: cec710be082bc8da38fa023d50ec9de186a85701ae4522635ea0a1cf955b3d65
                                  • Opcode Fuzzy Hash: 8ec832d14047dc2f7f4f89894260ef838363930856035e442cd0ac84451a6782
                                  • Instruction Fuzzy Hash: 9E11E272500204AFEB218F51DD44FEAFBF8EF45324F1484AAEA459B791D370E8488BB1
                                  Function 00E129A6 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcessWorkingSetSize.KERNEL32(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E129FF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: ProcessSizeWorking
                                  • String ID:
                                  • API String ID: 3584180929-0
                                  • Opcode ID: efbdd230ff6be32f5838085812e3cbbf50271ec70a051eaca3dd1deea90aade2
                                  • Instruction ID: 5960225d35f0201755f1bb40a7696772a429d271d9da41172afba31204c98120
                                  • Opcode Fuzzy Hash: efbdd230ff6be32f5838085812e3cbbf50271ec70a051eaca3dd1deea90aade2
                                  • Instruction Fuzzy Hash: 36110171600200AFEB20CF55CC44BE6BBA8EF44324F18C86EEE089B651D370E8588AB5
                                  Function 00E12A8A Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetProcessWorkingSetSize.KERNEL32(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E12AE3
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: ProcessSizeWorking
                                  • String ID:
                                  • API String ID: 3584180929-0
                                  • Opcode ID: efbdd230ff6be32f5838085812e3cbbf50271ec70a051eaca3dd1deea90aade2
                                  • Instruction ID: a471ca0edc9c621522e31670c82e18a3443e4d4baa033adfa6874b90f7df7402
                                  • Opcode Fuzzy Hash: efbdd230ff6be32f5838085812e3cbbf50271ec70a051eaca3dd1deea90aade2
                                  • Instruction Fuzzy Hash: CB110172600200AFEB21CF51DC44FEAB7A8EF44324F14846EEE08DB641D374E9588BB5
                                  Function 0092A573 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0092A5DE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 25816617b12fd1ef344b7cd8a6da4bcd071b9eb7303e943cd0bb78bec3c5e50e
                                  • Instruction ID: 374d0fa4fd7d3d3b0deacf9370d853a194e62777b21a41e04fcb698d32e0ee24
                                  • Opcode Fuzzy Hash: 25816617b12fd1ef344b7cd8a6da4bcd071b9eb7303e943cd0bb78bec3c5e50e
                                  • Instruction Fuzzy Hash: 51117571405780AFDB228F51DC44B52FFF4EF46310F0888DAED858B562C375A818DB62
                                  Function 00E128CA Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetExitCodeProcess.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E12920
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CodeExitProcess
                                  • String ID:
                                  • API String ID: 3861947596-0
                                  • Opcode ID: e9d8397b050ba14bbdd75ae3e5bd51c298d3ccc6f73533821736a99b3d935da7
                                  • Instruction ID: a087de83cc73d79fccae9e68bba8c0915d8841374f9b03a623db2b2afe14e0ca
                                  • Opcode Fuzzy Hash: e9d8397b050ba14bbdd75ae3e5bd51c298d3ccc6f73533821736a99b3d935da7
                                  • Instruction Fuzzy Hash: 2211E371600200AFEB108F15DC85BEAB7E8DF84724F14846AEE48DB641D774E9488AB1
                                  Function 0092AEAE Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 0092AF0D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 0d65a9878118086ff3b24f88137a5b7202113776fc206aa40f8eee04135585fa
                                  • Instruction ID: d55ccb09faf3033fb91674e220700ea9e1acb870703bdd43c86f3f24327f5173
                                  • Opcode Fuzzy Hash: 0d65a9878118086ff3b24f88137a5b7202113776fc206aa40f8eee04135585fa
                                  • Instruction Fuzzy Hash: D3110472500200AFEB21CF51DD40FA6FBF8EF44324F14845AEE489B655C334E4088BB2
                                  Function 00E1271A Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                  Download Yara Rule
                                  APIs
                                  • ioctlsocket.WS2_32(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E12773
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: ioctlsocket
                                  • String ID:
                                  • API String ID: 3577187118-0
                                  • Opcode ID: db27b0d5ab5c323b5090567370f50061ddf5abd4ac055bb3a660775b79b9f524
                                  • Instruction ID: 61b3e84fb079c477d85bda4d7392716fea4ae8df2c4136a3335c7e40fe0ff5c8
                                  • Opcode Fuzzy Hash: db27b0d5ab5c323b5090567370f50061ddf5abd4ac055bb3a660775b79b9f524
                                  • Instruction Fuzzy Hash: 0A11E371500200AFEB20CF51CD44BE6F7E8EF44324F14846AEE489B681C375A5588AB2
                                  Function 00E1146A Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • shutdown.WS2_32(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 00E114C0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: shutdown
                                  • String ID:
                                  • API String ID: 2510479042-0
                                  • Opcode ID: 58004b31ea9b933af66e0f1279611d7dad879495c3f8168aa3729c975f90b25e
                                  • Instruction ID: fd6950c021d07a13bb74cd4cb08b27b10427ccca8d2e4faf1c6e755d314aff93
                                  • Opcode Fuzzy Hash: 58004b31ea9b933af66e0f1279611d7dad879495c3f8168aa3729c975f90b25e
                                  • Instruction Fuzzy Hash: 8E11C271500204AEEB20CF55DD84BE6B7A8EF44724F2484AAEE499B741D374E9488AB6
                                  Function 00E11C26 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNELBASE(?,00000E24), ref: 00E11C8F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: ac834564fb56b36c5ef56a73d57eb7dd56aebfcbc19f0755eafc0e226ca66e16
                                  • Instruction ID: 03713838b535219bfd0b6ad20bac1c1b328c23fd97be8363ef0cfeeb59e9a855
                                  • Opcode Fuzzy Hash: ac834564fb56b36c5ef56a73d57eb7dd56aebfcbc19f0755eafc0e226ca66e16
                                  • Instruction Fuzzy Hash: FD110871640204AEE720DB11DD81FF6F7A8DF44724F248099FE495A781D3B5E948CAF6
                                  Function 00E127F6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: select
                                  • String ID:
                                  • API String ID: 1274211008-0
                                  • Opcode ID: b67cf0b69ea52dd199d3e8cb89fccaffd5ed28a4f6173089c51a38fc927d77ad
                                  • Instruction ID: 19d85816092be411adb0187dfd6760b5b64f1760a151dad88f286751121187ed
                                  • Opcode Fuzzy Hash: b67cf0b69ea52dd199d3e8cb89fccaffd5ed28a4f6173089c51a38fc927d77ad
                                  • Instruction Fuzzy Hash: 53118C716002049FEB20CF55DC84B92FBE8EF04724F0884AEDE49DB262D330E898CB61
                                  Function 0092B93A Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0092B982
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: ec84ed22516a9b12063eb0b4c27d4680545d0603492b6d56b6c612ef9357941d
                                  • Instruction ID: a602abf92bbfe6977100b05763167df6fd569aea9e49deadf8fc292636e1f23c
                                  • Opcode Fuzzy Hash: ec84ed22516a9b12063eb0b4c27d4680545d0603492b6d56b6c612ef9357941d
                                  • Instruction Fuzzy Hash: A711A5766006009FDB10CF15ED85B56FBE8EF04324F18C46ADD49DB756D334D844CA61
                                  Function 0092AC6A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileType.KERNELBASE(?,00000E24,465146A2,00000000,00000000,00000000,00000000), ref: 0092ACBD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: FileType
                                  • String ID:
                                  • API String ID: 3081899298-0
                                  • Opcode ID: b0fc7d9037c956acca2e35bc7cd6b88bc2a779346dfdb2ef55db14859e2b05c0
                                  • Instruction ID: 493ed564e6a6944255197a72e01083e6792e70341c7aa33a69fe4a2d56c9460d
                                  • Opcode Fuzzy Hash: b0fc7d9037c956acca2e35bc7cd6b88bc2a779346dfdb2ef55db14859e2b05c0
                                  • Instruction Fuzzy Hash: 6901D272500214AFE720CB01ED84BA6F7ACDF44724F14C49AEE488B745D378E9488AB6
                                  Function 00E1197A Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 00E119C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Connect
                                  • String ID:
                                  • API String ID: 3144859779-0
                                  • Opcode ID: 23f5808cbe166e91a815b07091ab122296e1b97afa357af7d08fbbf65cb37905
                                  • Instruction ID: c4d95e7d262dea7c0b9cd69d9dca1df237cf9244d8d85caa7f6fd86e0adc82aa
                                  • Opcode Fuzzy Hash: 23f5808cbe166e91a815b07091ab122296e1b97afa357af7d08fbbf65cb37905
                                  • Instruction Fuzzy Hash: DF118E31500644AFDB20CF55D944B92FBF4EF48324F18C9AADE959B622D331E898DF62
                                  Function 0092A59A Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0092A5DE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 89a2969dfbfc1130486733d985553d57c8911621ee8ce5c88977092ab2ffbdaf
                                  • Instruction ID: 6844ab53dc97cc2fd3d67b83e50929857aed867f3eac1861c2e7c4dd6ef32c8f
                                  • Opcode Fuzzy Hash: 89a2969dfbfc1130486733d985553d57c8911621ee8ce5c88977092ab2ffbdaf
                                  • Instruction Fuzzy Hash: F3016D724007009FDB218F55D944B56FFE4EF48720F18C89EEE494A665C376E418DF62
                                  Function 0092A72E Relevance: 1.5, APIs: 1, Instructions: 43comclipboardCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OleGetClipboard.OLE32(?,00000E24,?,?), ref: 0092A779
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: Clipboard
                                  • String ID:
                                  • API String ID: 220874293-0
                                  • Opcode ID: 122e50e22982c0f20ef9b209d54590ea7462f4b4e01bd07c5bb3f6bfe4e8b53b
                                  • Instruction ID: c3e4aa8a82ebb45b515fdee65135ab16e8ca34426130cf938fcb6c1c2f2c9d8c
                                  • Opcode Fuzzy Hash: 122e50e22982c0f20ef9b209d54590ea7462f4b4e01bd07c5bb3f6bfe4e8b53b
                                  • Instruction Fuzzy Hash: DC01D671500600ABD310DF16CC46B66FBE8FB88B20F248159ED089BB41D771F915CBE5
                                  Function 00E10B4E Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00E10B9E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571132731.0000000000E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_e10000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: db00d29af6725fffa548190c08b070b744a723a186ef61b32a88bc49092ecee1
                                  • Instruction ID: 866137a612235540b38737d96c0828d5650b9de89aff3e67cc56b5c2e3d5bd36
                                  • Opcode Fuzzy Hash: db00d29af6725fffa548190c08b070b744a723a186ef61b32a88bc49092ecee1
                                  • Instruction Fuzzy Hash: DE01D671500600ABD310DF16CC46B66FBE8FB88B20F24815AED089BB41D771F915CBE5
                                  Function 00D77288 Relevance: 1.5, Strings: 1, Instructions: 287COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 2Yl
                                  • API String ID: 0-600701926
                                  • Opcode ID: fbd066532d2fc194167e63efc00cc27b3a74728964d9340e68bb44d3c4f6ea78
                                  • Instruction ID: 13b2311e52b17f8ccd7dd159155d6121a69f3516127f57cee5f132d6e935b57d
                                  • Opcode Fuzzy Hash: fbd066532d2fc194167e63efc00cc27b3a74728964d9340e68bb44d3c4f6ea78
                                  • Instruction Fuzzy Hash: CFA1E1317082018BD714EB39D945BAD33E2EB88318F188A29D81ADB3D5EB34DD46CB60
                                  Function 0092AA12 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(?), ref: 0092AA44
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: cd882821c96b27eecf4e1cde623ae82f2fa7b41647ebd696926ee2d4ebcf7924
                                  • Instruction ID: 3fae8915004046fd3e7d877580bba8bf4622c3521313f960b2a09280b4b4cef1
                                  • Opcode Fuzzy Hash: cd882821c96b27eecf4e1cde623ae82f2fa7b41647ebd696926ee2d4ebcf7924
                                  • Instruction Fuzzy Hash: 05F0AF369006449FDB208F05EA84761FBE4EF44724F18C09ADD494B756D379E948CEA3
                                  Function 00D79445 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l
                                  • API String ID: 0-1731998491
                                  • Opcode ID: d730c053db9ff340fe9b67a3515459b6b4656f486bb1be5381618275a105a579
                                  • Instruction ID: 73b2e745b09dac8fed57ca83257b58cc423731acdf722874166d240bc5d2390c
                                  • Opcode Fuzzy Hash: d730c053db9ff340fe9b67a3515459b6b4656f486bb1be5381618275a105a579
                                  • Instruction Fuzzy Hash: 75910B34A01204DFCB09EFB5E850A9D77B2FF88348B51852AE416977A8DF359C26DF90
                                  Function 00D794A3 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l
                                  • API String ID: 0-1731998491
                                  • Opcode ID: b2b59bf0c4d5ce1949b46c6b9d2315c10447ebd304fa1380c1462ac1fe3379f5
                                  • Instruction ID: b0d9ac1351939850af2e3f6d523be244a892ab09e83341f550a89538050bc362
                                  • Opcode Fuzzy Hash: b2b59bf0c4d5ce1949b46c6b9d2315c10447ebd304fa1380c1462ac1fe3379f5
                                  • Instruction Fuzzy Hash: AD910B34A01204DFCB19EFB5E850A9D73B2FF88348B51852AE416977A8DF359C26DF90
                                  Function 00D794F3 Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l
                                  • API String ID: 0-1731998491
                                  • Opcode ID: bdde6eb742329f608e384b362361cf593d5de5cf591b6f75f1a0cbd8a776111d
                                  • Instruction ID: 4bd4d2ab8fd763f6b1c8c41dc9cae63d5f21da1865aef455c525b9f0fb3007ef
                                  • Opcode Fuzzy Hash: bdde6eb742329f608e384b362361cf593d5de5cf591b6f75f1a0cbd8a776111d
                                  • Instruction Fuzzy Hash: 60811B34A01204DFCB19EFB5E850A9D73B2FF88348B51852AE416977A8DF359C26DF90
                                  Function 00D76B55 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l
                                  • API String ID: 0-1731998491
                                  • Opcode ID: 7a659896d5af933baacc78126e32779452d290d757d36ec04dce7269b292cfe0
                                  • Instruction ID: f9802bbde0a24196474ce7870b45590fa9a6c9d51f77f2cdb74d33bb6115772c
                                  • Opcode Fuzzy Hash: 7a659896d5af933baacc78126e32779452d290d757d36ec04dce7269b292cfe0
                                  • Instruction Fuzzy Hash: B7912C70A012288FDB25EF34D951BAD77B2EF88304F5081A9950A6B794DF359E86CF50
                                  Function 00D79575 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l
                                  • API String ID: 0-1731998491
                                  • Opcode ID: 95f0418d52194834229d0b069111d270c5f2cf97a1156fc8976a1fbf1e2fc627
                                  • Instruction ID: 8e97808a821b95515ef467ee7ad299c25dc258d8762cf51b41ac1540335af0ea
                                  • Opcode Fuzzy Hash: 95f0418d52194834229d0b069111d270c5f2cf97a1156fc8976a1fbf1e2fc627
                                  • Instruction Fuzzy Hash: 60711B34B012009FCB19AF79E450A9D73B2FF88348B61852ED416977A8DF359C62DB91
                                  Function 00D739BF Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 2Yl
                                  • API String ID: 0-600701926
                                  • Opcode ID: 1799796a82369252ca5fbe269b469150b072e7dada545d0c653bd7fceb960988
                                  • Instruction ID: 5d816344928d1e9ffb78e065875b783a181db3f21d64d50e9b75fec88b206975
                                  • Opcode Fuzzy Hash: 1799796a82369252ca5fbe269b469150b072e7dada545d0c653bd7fceb960988
                                  • Instruction Fuzzy Hash: B6816D30A01218CFDB14EBB4C951BECB7B2EF49308F1085A9D40AAB394DB759E85CF51
                                  Function 00D79665 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l
                                  • API String ID: 0-1731998491
                                  • Opcode ID: 28d46d118b05311632fccf42bbf9adc715d090f7c345feef8b0bfd21c17852a0
                                  • Instruction ID: 77f15a57104c1045a210e88e5d91ec87714b157ca30fabc233319589b8885db1
                                  • Opcode Fuzzy Hash: 28d46d118b05311632fccf42bbf9adc715d090f7c345feef8b0bfd21c17852a0
                                  • Instruction Fuzzy Hash: D3515F35B012149FDB18EFB5E860AADB3A2FF88748F11812AD41697798DF349C16CB91
                                  Function 00D73B18 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 2Yl
                                  • API String ID: 0-600701926
                                  • Opcode ID: 7e169673aa4a305a592523372a448d1b2d28a9441ecf55bc3dc5145e856819be
                                  • Instruction ID: ac4fd1100bb26b3315120deb7c82a8caa4a0aceeae95b5db8fe8101f7d4e4480
                                  • Opcode Fuzzy Hash: 7e169673aa4a305a592523372a448d1b2d28a9441ecf55bc3dc5145e856819be
                                  • Instruction Fuzzy Hash: 90416D30A012588FDB14EBB4C855BECB7F1FF89308F1041AAD00AAB695DB759E49CF61
                                  Function 00D70958 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: :@2l
                                  • API String ID: 0-1731998491
                                  • Opcode ID: ef6e54bc5fafe549bb2311abd595ed433147554f5fe60ffa98bd067a4d454a67
                                  • Instruction ID: f919bb9b6f85be8874e253217ee350cf1aa23541f1ca3c0c24aa8e8e62acf0d7
                                  • Opcode Fuzzy Hash: ef6e54bc5fafe549bb2311abd595ed433147554f5fe60ffa98bd067a4d454a67
                                  • Instruction Fuzzy Hash: CC31E6307012118FDB04BB75D9117BE37A6EB88308F14843ED416D7799EF388D1A8BA2
                                  Function 0092AB7C Relevance: 1.3, APIs: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 0092ABF0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 0fd55c05687081ddc4d90295713c716e7c7da0d86858d79edbe4e811ac7e8b2e
                                  • Instruction ID: 68b4c05d6b0fb584c09e02c660a5dfabd23b1fafdd09067d270fa48ca53630dc
                                  • Opcode Fuzzy Hash: 0fd55c05687081ddc4d90295713c716e7c7da0d86858d79edbe4e811ac7e8b2e
                                  • Instruction Fuzzy Hash: 7B21F6755097C05FD7128F25DC91792BFB8EF07320F0984DADD848F263D2249909C762
                                  Function 0092BB50 Relevance: 1.3, APIs: 1, Instructions: 68COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 0092BBBC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 5c05a1bc17ef595f0e639b0413c3f0c2033da3a772d35e2d349e8d74322227c4
                                  • Instruction ID: 4cc19f9b5e4f9fde9835cf5408e74ab1de20a8f6e4a733588154a5b0655d4988
                                  • Opcode Fuzzy Hash: 5c05a1bc17ef595f0e639b0413c3f0c2033da3a772d35e2d349e8d74322227c4
                                  • Instruction Fuzzy Hash: 7A21C0725093C05FDB128B25DC95B92BFF4AF07324F0984DAED858F663D264A908CB62
                                  Function 0092A61E Relevance: 1.3, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 0092A690
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 1f12f2babc968a4f08cf6e6b908b2ffe193e891bea080a72b18e7793dc264719
                                  • Instruction ID: b8c6bfde4873f251e51f1410e10d64a50ed4b34815445121c4de8fcf0e3acbc9
                                  • Opcode Fuzzy Hash: 1f12f2babc968a4f08cf6e6b908b2ffe193e891bea080a72b18e7793dc264719
                                  • Instruction Fuzzy Hash: 5F214A714093C49FDB128B25DD95B92BFB4DF07220F0984DBDD849F2A3D2699908DBB2
                                  Function 0092BB8A Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 0092BBBC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: b7f832f60b866d5fa4c7d305046504d34f4312fe0220d70ed93c4f424e2442a3
                                  • Instruction ID: 0f4687c54530625dcb5c71683d62afbf13e50f8a24ac062a89055db36cb998b0
                                  • Opcode Fuzzy Hash: b7f832f60b866d5fa4c7d305046504d34f4312fe0220d70ed93c4f424e2442a3
                                  • Instruction Fuzzy Hash: 4F01DF719002408FDB10CF1AE985B92FBE4EF00720F18C4AADD498F75AC375E808CB62
                                  Function 0092ABBE Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 0092ABF0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 559edbaa62834aed39ad6e6d9fd1b23fbe70bc861aedd0e16c07840f5fe172bd
                                  • Instruction ID: 940806da2386f7033f18be4ea4b11383fff245934da981dbf1c63a52572704b1
                                  • Opcode Fuzzy Hash: 559edbaa62834aed39ad6e6d9fd1b23fbe70bc861aedd0e16c07840f5fe172bd
                                  • Instruction Fuzzy Hash: A601DF729042009FDB10CF16E9857A6FBE8DF00320F18C4AADD498F756D279E808CA62
                                  Function 0092A65E Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(?), ref: 0092A690
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570281581.000000000092A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_92a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 566507aaf095c9a994cfae326b0209cb0b8d35ebbe96353236815fffc9847e9d
                                  • Instruction ID: 842142300a9a740377dd1dd58b35affa65edfdfeb55ed7848248e989aeb1daf7
                                  • Opcode Fuzzy Hash: 566507aaf095c9a994cfae326b0209cb0b8d35ebbe96353236815fffc9847e9d
                                  • Instruction Fuzzy Hash: 4001A2719002409FDB10CF55E984755FBE4DF04324F18C4AADD488F356D37AE808CEA2
                                  Function 00D73DCC Relevance: .2, Instructions: 193COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fcf15ca1d4d6317d7861caffd98670a1408340cc95011ac0872d790d86b23c95
                                  • Instruction ID: 09e18b147f1e8b5851a13f0671295f64edb1b8b5e232ac16805a1914c18e834e
                                  • Opcode Fuzzy Hash: fcf15ca1d4d6317d7861caffd98670a1408340cc95011ac0872d790d86b23c95
                                  • Instruction Fuzzy Hash: 0BA1E674A01218CFCB65EF74D950AECB7B2FB48308F1041AAD80AAB755DB359E96CF40
                                  Function 00D7726E Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5fca98698d5b7423d95f068ce72a6e53bf6b65a2202651bdf0a11ab374963565
                                  • Instruction ID: 566c111ce169b22b25e5a15d42499a911c894b8135fc7cc86ef9d02709e1a9a4
                                  • Opcode Fuzzy Hash: 5fca98698d5b7423d95f068ce72a6e53bf6b65a2202651bdf0a11ab374963565
                                  • Instruction Fuzzy Hash: AE5104306093018FD715DF36A8047A93BE2EB45354F18CA66D85ADB2E6FB34DA46DB30
                                  Function 00D77666 Relevance: .1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f6350766241d3e68045b8c4187379c3354031bb0c102150683b69152876f2f85
                                  • Instruction ID: 0726d957ce6b8f10888b2f491955a0d91e0f03e6b8a32721d3f560fd6e57655e
                                  • Opcode Fuzzy Hash: f6350766241d3e68045b8c4187379c3354031bb0c102150683b69152876f2f85
                                  • Instruction Fuzzy Hash: C641C0307092018BDB14DF36A9057A936E3AB44354F18C966D45ADB2E5EF38DA46DB30
                                  Function 00D79C40 Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35ed66d4c6202b5b77895b5895664708d3ad460d5249d7fd98d498544fa6924b
                                  • Instruction ID: 305ee02cde03ef031000d9262586f0f032508055efa811cf15840184e20e8538
                                  • Opcode Fuzzy Hash: 35ed66d4c6202b5b77895b5895664708d3ad460d5249d7fd98d498544fa6924b
                                  • Instruction Fuzzy Hash: 1D31A631B002059FDB14DB75D955BAEBBF6AF88344F248129E409EB3A4DB749D05CB90
                                  Function 00D70006 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af857b208dfc9d517b7e9d0ca17bf4843df0f70aeff059ae842203345f5b60d4
                                  • Instruction ID: da5e61c4f7a40a31b9dd06466578aaff5bc57efa7e9be06638aa44078bd23cb7
                                  • Opcode Fuzzy Hash: af857b208dfc9d517b7e9d0ca17bf4843df0f70aeff059ae842203345f5b60d4
                                  • Instruction Fuzzy Hash: 3311282419F3C14FD70397709CA56817F70AE1710975E85EBC480CF1A7C659591EE762
                                  Function 05932194 Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4574240802.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5930000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed8f42c5a7f29fa00350a6a19e11e5d6fb93b684314c789110ae88c63911984d
                                  • Instruction ID: ede1d4d5dfdbc63b9b007f4668d84040983b16bc4d67dbc13cc3c2f9589418a8
                                  • Opcode Fuzzy Hash: ed8f42c5a7f29fa00350a6a19e11e5d6fb93b684314c789110ae88c63911984d
                                  • Instruction Fuzzy Hash: 1C11B8B5A08341AFD350CF19D940A5BFBE4FB88664F14896EF99897311D231E9048FA2
                                  Function 00D80814 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571080890.0000000000D80000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d80000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f315885fcaa86fe457a0324738f355f7d095d92ecd881df0ae45585db04a77ec
                                  • Instruction ID: 271f5839a03741ef092b65e1b01f2bbf655570c3ee5bcab8a9fe8cee2af6752e
                                  • Opcode Fuzzy Hash: f315885fcaa86fe457a0324738f355f7d095d92ecd881df0ae45585db04a77ec
                                  • Instruction Fuzzy Hash: D811E430208240DFD751EB10C940B25BFB5AB88708F28C9ADE8490B683C777D896DBA1
                                  Function 00D771C1 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1b571b8882c627a87785bcb8c4c76be99e0008e5b6bdb29f228a38e021e9af7c
                                  • Instruction ID: e6463be2ed3d8ff88b78af8e1751cbec7fe3b0428444a5e2627db6f71d693694
                                  • Opcode Fuzzy Hash: 1b571b8882c627a87785bcb8c4c76be99e0008e5b6bdb29f228a38e021e9af7c
                                  • Instruction Fuzzy Hash: 48019E3964D7904FC3226A3868215693B72EB8620572605BFD841EB393DB295C0EC3A6
                                  Function 00D79960 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e2a070abaff03de51c0daf9942aee4deee5a164b6c6a827c03dcf7455030114e
                                  • Instruction ID: b9faa3630d1856acac00e7a8850c0e63320c514706b9980f025719c2942a55d2
                                  • Opcode Fuzzy Hash: e2a070abaff03de51c0daf9942aee4deee5a164b6c6a827c03dcf7455030114e
                                  • Instruction Fuzzy Hash: 8E11A071F011059FCB54EFB898108EE7BFAEB8924472045BEC406E7746EB359E06CB90
                                  Function 0093B2F8 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570361325.000000000093A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_93a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 83e4724086ae21102c478042a4ddaf0f22a0446fca27c7c777c6c2ae5eb5764d
                                  • Instruction ID: bf6c8b80be2f97763bbfadd13a37b51b45508ffc70ddf91f49c70c0d3798f341
                                  • Opcode Fuzzy Hash: 83e4724086ae21102c478042a4ddaf0f22a0446fca27c7c777c6c2ae5eb5764d
                                  • Instruction Fuzzy Hash: FE11FAB5A08301AFD350CF09DD40E57FBE8EB88760F14896EF95997311D231E9088FA2
                                  Function 05932038 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4574240802.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5930000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 491c8b470c022ffc8a4b99dc4d8910c8c801abed5e235d7709141387b1386b41
                                  • Instruction ID: 7d090bff01a938febd3c58edc199d2cf7050152c485ae1d4d0f597e0bf0016d9
                                  • Opcode Fuzzy Hash: 491c8b470c022ffc8a4b99dc4d8910c8c801abed5e235d7709141387b1386b41
                                  • Instruction Fuzzy Hash: 9111FAB5A08301AFD350CF09DC80E57FBE8EB88760F14886EF95897311D231E9088FA2
                                  Function 00D70878 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1eaefe3d7977380e48cd985d3e92cb637129a4bdc69fcff1611736ba7d289663
                                  • Instruction ID: 84518e961e96047314c6bbb365a4984a7b8d80c9d51335dc7d78a0f3ee5a4eb0
                                  • Opcode Fuzzy Hash: 1eaefe3d7977380e48cd985d3e92cb637129a4bdc69fcff1611736ba7d289663
                                  • Instruction Fuzzy Hash: 53118E3420A7829FC700EB74D55454D7BE1EFC9208B15882DA9858B35ADF3498099F82
                                  Function 00D700A8 Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5660ef4c4fd7e770bc37f8dcb07869887ccfe0ca30840c10d99ca5c607914aea
                                  • Instruction ID: f6966d0c3f45ebaa544bb12566252b9b937f7f615739de0d101a85d97a670a42
                                  • Opcode Fuzzy Hash: 5660ef4c4fd7e770bc37f8dcb07869887ccfe0ca30840c10d99ca5c607914aea
                                  • Instruction Fuzzy Hash: 9DF09676A01344DBEB18DBB08852BAE7B73EBC1714F00C5AED5459B1D5DA315D41C750
                                  Function 00D79C00 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f33640a4e8ce928feda614c0a5ffb95878dbf24d7914324d4d25fdc98e5ad5eb
                                  • Instruction ID: 2713daff85e717cf7265346ae5b45f464a558c40ec6f5a9ce0e6353ef89c6b0b
                                  • Opcode Fuzzy Hash: f33640a4e8ce928feda614c0a5ffb95878dbf24d7914324d4d25fdc98e5ad5eb
                                  • Instruction Fuzzy Hash: A3F0E932D4D2898ECB12CFB8A8554ECFF30EA02320B1443EAD899D71A2D7310519C762
                                  Function 00D808D0 Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571080890.0000000000D80000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d80000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e688d466f81438e4200f8fd76d8625fe577cca3db3c4452d967b0a8c1c81d4f3
                                  • Instruction ID: abbe068a6b40764a2bd0314f31c825815ec5eeedb3698c7e2033b73228cf4fb6
                                  • Opcode Fuzzy Hash: e688d466f81438e4200f8fd76d8625fe577cca3db3c4452d967b0a8c1c81d4f3
                                  • Instruction Fuzzy Hash: 48F06D35108640DFC701DF00C580B15FBA2EB88718F24CAADE84807752C337D813DB91
                                  Function 00D80606 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571080890.0000000000D80000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d80000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2280332f42adec14a818625bc383a775eab17daaae94a6c8ba198ba5cd9f0aad
                                  • Instruction ID: 616db7fa194cb0750b56e9b9a3d6913c0915a22ec08f70cdbf3a6a2fc811a41d
                                  • Opcode Fuzzy Hash: 2280332f42adec14a818625bc383a775eab17daaae94a6c8ba198ba5cd9f0aad
                                  • Instruction Fuzzy Hash: 09E092B6A006044F9650CF0BEC41452F7E8EB84630718C07FDC0D8B701D235F909CAA5
                                  Function 0093B347 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570361325.000000000093A000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093A000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_93a000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c4767b0be697001c8c5e4c3aec42bd719e314a793f168c2b7e6e8f6413fede87
                                  • Instruction ID: ce4d25039af98b3d0536451246969f7a5b5205e9c4e0982e393dde9676415262
                                  • Opcode Fuzzy Hash: c4767b0be697001c8c5e4c3aec42bd719e314a793f168c2b7e6e8f6413fede87
                                  • Instruction Fuzzy Hash: 60E0D8B294020467D2108F069D45F52FBA8DB50A31F14C56BEE191B701D171B50489F6
                                  Function 05932087 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4574240802.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5930000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6dc1471dbb97626c0d89b39bda97873dc1bb1c039501013b7009443cf32cbe9f
                                  • Instruction ID: a8487f7cd0b5d0d193a5a9e259358cb94033516e0511785be4ecda1b649552b8
                                  • Opcode Fuzzy Hash: 6dc1471dbb97626c0d89b39bda97873dc1bb1c039501013b7009443cf32cbe9f
                                  • Instruction Fuzzy Hash: 4CE0D8B294030467D2509F069C45F53FBA8DB40A30F14C46BEE081B702D172B50489F5
                                  Function 05931AAB Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4574240802.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5930000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14fbce75f9738a3c41f484ec6ed0af27060f105f120e7473d88fbfcead5ba905
                                  • Instruction ID: 64f4c2e647582e91f88d772aa1df05c6927a0a6e67b49dcc96f65f916e5fe71c
                                  • Opcode Fuzzy Hash: 14fbce75f9738a3c41f484ec6ed0af27060f105f120e7473d88fbfcead5ba905
                                  • Instruction Fuzzy Hash: 08E0D8B294060467D2109F06AC45F53FB98DB80A30F18C46BEE081B701D172B514C9E5
                                  Function 059321FF Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4574240802.0000000005930000.00000040.00000800.00020000.00000000.sdmp, Offset: 05930000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_5930000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74e5e0cdfb285af554437ae5c4e0e880cf3978f5eeed39157f2f41bd19348b7b
                                  • Instruction ID: 41aec992c06614df6ebe207ed0214d75a45ccf01526abe85a1d97dd5019d7b98
                                  • Opcode Fuzzy Hash: 74e5e0cdfb285af554437ae5c4e0e880cf3978f5eeed39157f2f41bd19348b7b
                                  • Instruction Fuzzy Hash: 5DE0D8B294030467D2108F069C45F52FB9CDB94A31F14C46BEE181B741D171B51489E5
                                  Function 00D736A8 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b40a7801378ce3729bec6da1397edfa1967ea70b20340c0249a4b61752e4ab6
                                  • Instruction ID: ef7eb9c22df8fe5d8d1088025376d2d812da6eff6f62001344018e905fb3b20b
                                  • Opcode Fuzzy Hash: 3b40a7801378ce3729bec6da1397edfa1967ea70b20340c0249a4b61752e4ab6
                                  • Instruction Fuzzy Hash: 0AE08C316EB7808FCB2A6B78645846C3B30EF4220834504FEC4468BBA3DA3B9487CB00
                                  Function 00D74200 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eaabd8b48292475e2a6c467b1fbf1eae841a8976c828aaa624c77893667829b2
                                  • Instruction ID: 3e0712a4ad6245553ad61de0e782a8eb56c402697cc4843615477c624bab6711
                                  • Opcode Fuzzy Hash: eaabd8b48292475e2a6c467b1fbf1eae841a8976c828aaa624c77893667829b2
                                  • Instruction Fuzzy Hash: 22E08671A5E2C49FCB01DF789D1189C7FB09A0220470202EAD845D71A2DA315E09DB62
                                  Function 009223F4 Relevance: .0, Instructions: 15COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570257917.0000000000922000.00000040.00000800.00020000.00000000.sdmp, Offset: 00922000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_922000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a3204b096298af9bf63e42bcc1eed66bda890977a303d653a6dda397a3b6eaf
                                  • Instruction ID: 6d73a02326f12ef7634adc9acf53a9ae2ec6bc5a2656c72830e301deedb6ba0e
                                  • Opcode Fuzzy Hash: 0a3204b096298af9bf63e42bcc1eed66bda890977a303d653a6dda397a3b6eaf
                                  • Instruction Fuzzy Hash: A2D02E792086D04FD312AB0CD1A4B8537E8AB40704F0A00FEAC008B777C76CD881C600
                                  Function 009223BC Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4570257917.0000000000922000.00000040.00000800.00020000.00000000.sdmp, Offset: 00922000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_922000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72d92cbced25e7a18ebc10cd46168386cbd194cb69f2e0050bb576d56d84f871
                                  • Instruction ID: 1619d8e2563fc8f29fe004f86c2a9b34084e3e33133042f30d680842339314db
                                  • Opcode Fuzzy Hash: 72d92cbced25e7a18ebc10cd46168386cbd194cb69f2e0050bb576d56d84f871
                                  • Instruction Fuzzy Hash: 98D05E342002814BC719EB0CE2D4F5937E8AF40B14F1A44ECAC108B766C7A8D9C1CA00
                                  Function 00D74210 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e97ebd4732f80f7f6c2a028c6bb985b52e5174d70641d840d567eecfd006bb0
                                  • Instruction ID: f3d4a4f417eafde1b45a3b72c3254f69f2851c38ddbcbf8e01b2de5c63276ba2
                                  • Opcode Fuzzy Hash: 0e97ebd4732f80f7f6c2a028c6bb985b52e5174d70641d840d567eecfd006bb0
                                  • Instruction Fuzzy Hash: 59D0C971A19208EF8B44DFA8DD0189DB7F9EB46219B1141A9A809D3250EE716E10EB91

                                  Non-executed Functions

                                  Function 00D78CD9 Relevance: .4, Instructions: 355COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4571064680.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_d70000_01koiHnedL.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3306ab8f843cd9590f160e574be5f3816a53e71b2df57707e0141b44a9aee25c
                                  • Instruction ID: a9e1163539d08abe83921761ea4528cba25e8acbd59254a59ceb12e973115dd4
                                  • Opcode Fuzzy Hash: 3306ab8f843cd9590f160e574be5f3816a53e71b2df57707e0141b44a9aee25c
                                  • Instruction Fuzzy Hash: 45C15A3354A3229BDB35AB72E951279F6A2BA04351349C072F495DB1D0FF28CD92EB70